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Abstract. This paper aims at carrying out termination proofs for simply typed higher- 
order calculi automatically by using ordering comparisons. To this end, we introduce the 
computability path ordering (CPO), a recursive relation on terms obtained by lifting a 
precedence on function symbols. A first version, core CPO, is essentially obtained from 
the higher-order recursive path ordering (HORPO) by eliminating type checks from some 
recursive calls and by incorporating the treatment of bound variables as in the so-called 
computability closure. The well-foundedness proof shows that core CPO captures the 
essence of computability arguments a la Tait and Girard, therefore explaining its name. 
We further show that no further type check can be eliminated from its recursive calls 
without loosing well-foundedness, but one for which we found no counter-example yet. 
Two extensions of core CPO are then introduced which allow one to consider: the first, 
higher-order inductive types; the second, a precedence in which some function symbols are 
smaller than application and abstraction. 


1. Introduction 

This paper addresses the problem of automating termination proofs for typed higher-order 
calculi by reducing them to ordering comparisons between lefthand and righthand sides of 
rules. 

It also addresses another, more fundamental problem of mathematical importance. Con¬ 
sider the set of terms generated by a denumerable set of variables, application, abstraction 
and some set of function symbols with arities, our version of the pure A-calculus. We shall 
use a (possibly infinite) set R of pairs of A-terms called rewrite rules used as our computing 
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device. Given a term as input, whether our computing device will eventually terminate 
and return an answer is in general undecidable, even if R is a singleton set (32) . It may 
even be undecidable for specific rewrite systems, such as the well-known /3-reduction rule 
(formally defined here as the infinite set of its instances). A major question is the following: 
can we approximate the set of /3-terminating terms by some meaningful subset? An impor¬ 
tant partial answer was given by Turing: the set of simply typed A-terms, where the word 
simply refers to a specific typing discipline introduced by Church in the A-calculus |25| . is 
terminating when a specific strategy is employed [89]. The complete answer, the fact that 
the very same set is indeed terminating under any strategy, is due to Sanchis [81]. Tait 
and Girard gave later proofs [51] IT5] which have been the basis of many further generaliza¬ 
tions, by considering more rules (^-reduction, recursors, general schema), and more terms 
characterized by more elaborate type disciplines (polymorphic, dependent, inductive type 
systems). When considering /3-reduction alone, the obtained approximations of the set of 
terminating A-terms are quite satisfactory. But proving the corresponding statement that 
computations terminate when given a typed A-term as input, requires using an extremely 
powerful technique called reducibilit^, introduced by Tait for simply typed terms, and fur¬ 
ther developed by Girard for the richer type disciplines. Given a set of terms and a set of 
rewrite rules R, a reducibility predicate is defined by axioms that it should satisfy, mainly 
closure under term constructions, closure under rewriting with R, and containment in the 
set of terminating terms. Girard exhibited a particular predicate for /3-reduction which can 
be easily adapted for other sets of rules, but there are sets of rules for which some typable 
terms originate an infinite computation. We therefore turn to a new undecidable question: 
which sets of rules admit a computability predicate? 

The question we answer in this paper is whether this set S (of sets R of rules) admits 
some non-trivial decidable subset: our approximation of S is the set of sets R of rules such 
that pairs in R are ordered by (some instance of) the computability path ordering CPO. 

The work itself takes its roots in early attempts by Breazu-Tannen and Gallier m and 
independently Okada m to consider mixed typed A-calculi with algebraic rewriting. Both 
works used Girard’s computability predicates method to show that the strong normalization 
property of algebraic rewriting was preserved in the union. These results grew into a whole 
new area, by extending the type discipline on the one hand, and the kind of rules that could 
be taken care of on the other hand. The type discipline was extended independently by 
Barbanera and Dougherty in order to cover the whole calculus of constructions 13138 ], while 
the rule format was extended as described next. 

Higher-order rewrite rules satisfying the general schema, a generalization of Godel’s 
primitive recursion rules for higher types, were introduced by Jouannaud and Okada in the 
case of a polymorphic type discipline [ 56l m- The latter work was then extended first 
by Barbanera and Fernandez 13113 and finally by Barbanera, Fernandez and Geuvers to 
cover the whole calculus of constructions [6]. Recursors for basic inductive types, which 
constructors admit arguments of a non-functional type only, could be taken care of by the 
general schema, but arbitrary strictly positive inductive types could not, prompting for an 
extension of the schema, which was reformulated for that purpose by Blanqui, Jouannaud 
and Okada m- This new formulation was based on the notion of computability closure of a 
term f(f), defined as a set of terms containing t and closed under computability preserving 
operations in the sense of Tait and Girard. Membership to the general schema was then 

Rn fact, Tait speaks of “convertibility” in [83] ■ “realizability” in [84| ; and Girard of “reductibilite” and 
’’reducibility” in gsnang. Following Godel, “computability” is used by Troelstra in [58], p. 100. 
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defined for an arbitrary rewrite rule as membership of its righthand side to the computability 
closure of its lefthand side. This elegant, flexible and powerful definition of the general 
schema was finally extended by Blanqui in a series of papers, until it covered the entire 
calculus of inductive constructions including strong elimination rules m nu, rewriting 
modulo some equational theories and rewriting with higher-order pattern-matching DU 

Introduced by Jouannaud and Rubio, HORPO was the next step, the very first order 
on simply typed A-terms defined by induction on the term structure, as does Dershowitz 
recursive path ordering for first-order terms [3TJ . Comparing two terms with HORPO starts 
by comparing their types in a given well-founded ordering on types before to proceed recur¬ 
sively on the structure of the compared terms, in a way which depends on a comparison of 
the roots of both terms in a given well-founded order on the algebraic signature called the 
precedence [58j . HORPO was extended to the calculus of constructions by Walukiewicz m, 
and to use semantic interpretations of terms instead of a precedence on function symbols by 
Borralleras and Rubio [22 j. An axiomatic presentation of the rules underlying HORPO can 
be found in m- A more recent work in the same direction is |35| . A more general version of 
HORPO appears in [59] . which uses the computability closure to strengthen its expressivity. 
Blanqui proved that the first version of HORPO is contained in an order defined as a fixpoint 
of the computability closure definition [12j. Indeed, HORPO and the computability closure 
share many similar constructs, raising expectations for a simpler and yet more expressive 
definition, instead of a pair of mutually inductive definitions for the computability closure 
and the ordering itself. On the positive side, the computability closure makes little use of 
type comparisons, hence may succeed when HORPO fails for type reason. Unfortunately, 
its fixpoint is not a syntax-oriented definition, hence has a more limited practical usage. 

Originally formulated in |16| . the question of finding a syntax oriented recursive defini¬ 
tion of HORPO that would inherit the advantages of the computability closure paved the 
way to CPO, the computability path ordering. The first definition was given in m , later 
improved as CPO in [18|. A major improvement of CPO is that type comparisons are no 
more systematic, but occur in very specific cases. This does not only speed up computa¬ 
tions, but also boosts the ordering capabilities in an essential way. Further, bound variables 
are handled explicitly by CPO, allowing for arbitrary abstractions in the righthand sides 
together with a more uniform definition. 

In this paper, we present an in-depth study of an improved version of CPO for a simple 
extension of Church’s simple type discipline [25] . before we extend it to inductive types along 
the lines suggested in |18| following a technique dating back to Mendler EE EH and extended 
to rewriting by Blanqui m- In particular, we first show that many improvements of CPO 
cannot be well-founded: type comparisons are necessary when recursive calls deconstruct 
the lefthand side, but are not otherwise. While this all came out of the well-foundedness 
proof, it indeed shows a strong relationship between the recursive structure of CPO and the 
computability predicates method of Tait and Girard that is used to carry out the proof, which 
explains the name CPO. We then address the treatment of inductive types which remained 
ad hoc so far, thanks to the use of accessibility, a relationship introduced by Blanqui which 
generalizes the notion of inductive type HU- We finally introduce another novelty: small 
symbols. In all previous definitions, function symbols were bigger in the precedence than 
application and abstraction. Such symbols are now called big, while small symbols behave 
differently, being possibly smaller than both. Small symbols were suggested by Li to carry 
out a generalization of CPO to dependent types [55] . 
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Ill the recent years, the success of HORPO has prompted interest in the generalization 
to higher-order computations of various other methods used for first-order computations, 
most notably Art and Giesl’s dependency pairs [2 EH [50] yielding for instance [80] l68l Ifijfl 
1821 [62] [63] , and interpretation methods [70] 169] [93] [27] yielding for instance [90] 08] I7H1 00] . 

The paper is organized as follows. First, we define the sets of types and terms that 
we consider (simply typed A-terms with function symbols of fixed arity), and the class 
of orderings on types that can be used in CPO. We then give a first definition of our 
ordering (core CPO), and show that it can hardly be improved while keeping the same 
recursive structure and well-foundedness. We then show how to prove its well-foundedness 
by extending Tait and Girard’s technique of computability predicates. In the following 
sections, we consider two extensions of core CPO. In the first one, core CPO is extended 
by using accessible subterms which allows to handle strictly inductive types. In the second, 
application or abstraction are allowed to be bigger than a function call. Concluding remarks 
are given in Section [9] 

We recommend surveys [36l 186] for rewriting and [7] for typed A-calculus. 

2. Types and admissible type orderings 

CPO is a relation on well typed terms but, instead of allowing the comparison of terms of 
the same type only, it allows the type to decrease in some well-founded ordering. However, 
not any type ordering is admissible. 

In this section, we first recall the definition of (simple) types and some basic functions 
on types. Then, we define what are the (strict) orderings on types that can be used in CPO, 
study some of their properties and give an example based on a well-founded precedence on 
type constants. 

Definition 2.1 (Types). Let S be a set of sorts. The set T of types, the arity a(_) and 
the order o(_) of a type are inductively defined as follows: 

• a sort A e S is a type of arity a(A) = 0 and order o(A) = 0. 

• if T and U are types, then T -»• U is a type of arity a(T -> U) = 1 + a(U) and order 
o(T -*U)= max{l + o(T),o(U)}. 

We use capital letters for types and a different font for sorts ( e.g. T and A), and T for a 
(possibly empty) sequence of types T),... ,T n , of length |T[ = n. 

As usual, -> associates to the right so that A -> A -*■ A and A -*■ (A -> A) are the same. 
Given a relation R, let R + (resp. R*) denote the transitive (resp. transitive and reflexive) 
closure of R. 

Definition 2.2 (Admissible type orderings). Let and > r be the relations on types such 
that T -*■ U >i T and T -*■ U > r U respectively, and o be the transitive closure of their 
union. A (strict) ordering > on types is admissible if: 

• > r c > (typ-right-subterm) 

• > = (> u >i) + is well-founded (typ-sn) 

• if T -*■ U > V, then U >V or V = T ->• U' with U >U' (typ-arrow) 

where > is the reflexive closure of >. We say that a type T is compatible (resp. strictly 
compatible) with a sort A, written Sort<A(T) (resp. Sort < A(T)) if B < A (resp. B < A) for 
every sort B occurring in T. 
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Admissible type orderings originate from [59] . Note that a sort can be bigger than an 
arrow type. If A is a sort occurring in T, then T > A. Finally, note that the relation > is a 
simplification ordering |34| . 

We now give an example of admissible ordering based on a well-founded precedence on 
sorts. For a concrete use case, see Example 15.21 below. 

Lemma 2.3. Given a well-founded ordering >$ on sorts, let > be the smallest ordering > 
on types containing >$ and > r and such that, for all U, V, V', it holds that V > V' implies 
U -»■ V > U -*■ V'. Then, > is admissible. 

Proof. 

• (typ-sn) > is included in the RPO extending >$ [33] . hence is well-founded. 

• (typ-right-subternr) By definition. 

• (typ-arrow) Let T -> U > V. The proof is by induction on the definition of >. 

(1) > is > 5 . Impossible since T -*■ U is not a sort. 

(2) > is > r . Then U = V, hence U > V. 

(3) V = T -> W and U > W. Immediate. 

(4) T -*■ U > W > V . By induction hypothesis applied to T -> U > W, there are two cases: 
— U >W. Then, by transitivity, U > V. 

— W = T -> U' for some U' < U. By induction hypothesis on T -*■ U' > V, there are 
two cases: 

* U' > V. By transitivity, U > V. 

* V = T -s- V' for some V' < U'. By transitivity, U > V' and we are done. 


In the following, we prove some properties of admissible type orderings: 

Lemma 2.4. Let > be an admissible type ordering. If T -> U > T' -> U', then U > U'. 


Proof. By (typ-arrow), either T = T' and U > U' or U > T' ->• U', in which case we conclude 
by (typ-right-subterm) and transitivity. □ 

Lemma 2.5. Let > be an admissible type ordering. If A > U, then Sort<A(C^)- 

Proof. Let B be a sort occurring in U. Then, U > B. Hence, by transitivity, A > B. 

Lemma 2.6. Let > be an admissible type ordering. IfT >U and Sort<A(T), then Sort<A (17). 

Proof. Let C be a sort occurring in U. We proceed by induction on T. 

• T = B. Since Sort<A(T), B < A. By Lemma 12.51 Sort<B(C4) and C < B. Therefore, by 
transitivity, C < A. 


T = S -> T'. Then, Sort<A(*S') and Sort<A (T'). By (typ-arrow) there are two cases: 

— T' >U. Then, by induction hypothesis, Sort<A(bO- 

— U = S U r and T' > U'. By induction hypothesis, Sort<A(L v ). Hence Sort<A(C4). □ 


3. Terms 

In this section, we define the set of terms on which CPO operates. We consider simply typed 
A-terms [25], |7J with function symbols of fixed arity, that is, a function symbol of arity n 
always comes with n arguments. We assume that every variable or function symbol comes 
equipped with a fixed type and that (^-equivalence replaces a variable by another variable 
of the same type. 
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Definition 3.1 (Terms). Let X be an infinite set of variables, each variable x being equipped 
with a type t(x) e T so that there is an infinite number of variables of each type. Let also 
T be a (finite or infinite) set of function symbols disjoint from X , each function symbol f 
being equipped with a type r(f) e T and an arity a(f) < a(r(f)). The declaration f n : T 
indicates the arity n and type T of f. The set £ of terms is defined inductively as follows: 

• a variable x is a term of type r(x); 

• if f" : Ti T n -*■ U and t±,... ,t n are terms of type T\,... ,T n respectively, then 

f(ii,..., t n ) is a term of type U ; 

• if t and u are terms of types U -*■ V and U respectively, then tu is a term of type V ; 

• if x is a variable and t is a term of type T, then Xxt is a term of type t(x) -*■ T. 

We denote by r(t) the type of a term t, and write t ■ T when r(t) = T. 

We usually write f : T for the declaration f° : T , omitting the arity n = 0, and f for 
f(). Note that a term f (t) may have a functional type, hence can be applied. Application 
associates to the left so that tuv is the same as ( tu)v. 

We use the letters x, y, z,... for variables, f, g,... for function symbols, and a,b, ..., 
s,t,u,v, ..., t' , u',... for terms. 

We denote by FV(t) the set of free variables in t, by <3 the strict subterm relationship 
on terms, and by < its reflexive closure. The height of a term t, written |t|, is the height of 
its tree representation: |x| = 0, |f| = 0 if ce(f) = 0, |f(t)| = 1 + max{|t,;| | 1 < i < a(f)} if a(f) > 0, 
|tit| = 1 + max{|f|, |it|} and |Axt| = 1 + \t\. 

Definition 3.2 (Substitution). 

• A substitution is a function cr : X -*■ £ such that dom((r) = {x e X \ o{x) * x} is finite 
and, for every x, t(o(x)) = t(x). As usual, the application of a substitution cr to a term 
t, written ter, is defined so as to avoid free-variable captures when renaming some bound 
variables of t by new variables of the same type m- 

• A substitution a is away from a finite set of variables X if (dom(cr) u FV(cr)) n X = 0, 
where FV(cr) = (J {FV(cr(x)) | x e dom(cr)}. 

• A relation > on terms (or sequences of terms) is stable by substitution away from X if 
aa > bo whenever a > b and o is away from X. A relation is stable by substitution if it is 
stable by substitution away from 0. 

We will use the letters a, 8,... for substitutions, and denote the substitution mapping the 
variables x of its domain to the terms in t (hence |x| = \t\) by (f). 

Note that stability by substitution reduces to the standard definition: > is stable by 
substitution if ao > bo whenever a > b (because any substitution is away from 0). 

The equivalence relation identifying terms up to type-preserving renaming of their bound 
variables is called a-equivalence and written = a as usual HU. 

Given a relation R, let SN t(R) be the set of terms of type T from which there is no 
infinite sequence of R- steps, and SN (R) = U{SN t(R) \ T e T}. 

4. Relations 

One ingredient of CPO is a well-founded quasi-ordering on function symbols and, for each 
equivalence class generated by the corresponding equivalence relation, a status stat e {mul}u 
{lex(n) | n > 2} prescribing how to compare the arguments of two equivalent symbols, 
by either its multiset m or lexicographic extension. We hereafter recall the necessary 
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definitions and state some simple but important properties of these operations. The product 
extension is introduced here for technical reasons. 

Given a relation > on terms, let: 

• t > prod u if |t| = |f 2 | and there is j e { 1 ,..., | u\} s.t. tj > Uj and, for all i ± j, ti = Ui. 

• t > mul u if {t\ (>^) + {ft} where {t\ is the multiset made of the elements in t and M+{x } 

M + {y i,..., y n \ (n > 0) if, for all i, x > yi (+ being the multiset union); 

• t > lex ( n ) u if there is j e { 1 ,..., n} such that tj > Uj and, for all i < j, t% = tq. 

Note that both > mul and > lex ( n ) may compare all the arguments whatever their types 
are (from left to right for > j ex ( n p- In |l4j . the first author describes a more general version 
of these statuses that take types into account and allow reordering and filtering of the 
arguments [2], We could also consider statuses combining both lexicographic and multiset 
comparisons [39]. 

In the following, we will omit n in > lex ^ and simply write > lex . 

Here are the properties of statuses we will rely on: 

Proposition 4.1. Given a relation > on terms: 

• > stat preserves termination: if > is well-founded, then > stat is well-founded. 

• > stat contains > prod . 

• ^stat preserves stability: if > is stable by substitution away from X, then so is > stat . 


5. Computability path ordering 

In this section, we give the core definition of the computability path ordering (CPO) before 
to explore its limits by means of examples and compare it with its father definition, HORPO. 

5.1. Definition of core CPO. We assume given: 

• an admissible ordering on types >; 

• a quasi-ordering >jr on J -, called precedence , whose equivalence >jr n is written 
and strict part \ >^f is written >jr and assumed well-founded; 

• for every f € T, a status stat(f) e {mul} u {lex(n) | n > 2} such that symbols equivalent in 

have the same status. 

Definition 5.1 (Core computability path relation). The core computability path relation 
is the relation >® (> T for short) where: 

• the set of big symbols is identical to xE 

• for any given finite set X of variables, > x is inductively defined in Figure [T] 

• t > x u if t > x u and r(f) > r(n), 

• > x (resp. > x ) is the reflexive closure of > x (resp. > X ). 

The parameter X serves as a meta-level binder to keep track of the variables that were 
previously bound in the righthand side but have become free when destructuring a righthand 
side abstraction. We shall say that a variable x is fresh with respect to a comparison u > x v 
ifx/FV(u)uXuFV(i;). 

2 In core CPO, all symbols are big. Small symbols will show up in Section [8j 
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Figure 1: Core CPO 



Note that the parameter X is carried along computations without change, except in rule 
(J-ftA). Hence, any comparison u > A v generated from an initial comparison s > 0 t implies 
X n FV(ri) = 0. 

Explicit variable renamings and the associated freshness conditions are used to make 
the relation invariant by a-equivalence, the smallest congruence generated by the equation 
Xxt = Xytx if t(x) = r(y) and y £ FV(Axf) [3T ], and by appropriate renaming of the variables 
in X, as we shall prove later. 

Note the seemingly complex behaviour of application in rule (@=), which allows to 
search the lefthand side for appropriate arguments bigger than those of the righthand side. 
This enhancement of CPO intends to mimic the corresponding rule of HORPO without 
flattening lefthand sides. 

Having function symbols equipped with an arity is more general than having uncurried 
function symbols (i.e. of null arity) only: any uncurried system can be dealt with as it 
is. However, in this case, the (J~b_) rules are very limited: is not applicable, {Tb~) 

and (J~b>) reduce to the precedence itself. Moreover, applications of the form ft with 
\t\ > 0 can only be compared by using the (@_) rules which are more constrained than the 
corresponding rules, especially (@A) and (@=). Considering function symbols with 

non-null arities provides more structure to the terms, and this structure can be used for 
proving termination |51) . 

Lemma 16.41 below will show that FV(u) £ FV(u) uX whenever u > X v. Hence, an 
alternative formulation of rules (@A) and (A^) could therefore be given by replacing the 
condition u z fresh” by y £ FV(w). 

Another, perhaps surprising fact is that the definition of core CPO can be simplified by 
replacing by > everywhere but in (JFj,A). This is true at the start since we are interested 
in > T . This is then an invariant of the computation, for two reasons: X is never increased, 
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except in (J- b X): X is reset to the empty set by (J~ b >) and which are the only rules 

which may move from a (J~ b ) comparison to a (@) or (A) comparison. We could therefore 
simplify our definition by removing the superfluous X subscripts. This will however no more 
be true of the extension of core CPO to inductive types, and we prefer to have a uniform 
definition over the various sections. Further, the present definition will allow us to study a 
relaxation of (@A) in the next section. 

Surprisingly, core CPO is powerful enough already to prove termination of examples 
that usually require techniques like the ones developed in Section [3 

Example 5.2. Consider the breadth-first search of labeled trees using continuations [52] , 
using the sorts L for lists of labels and C for continuations, the abbreviation ->T = T -* L, 
and the symbols d : C and c 1 : —>C ->■ C for building continuations. Let now e : -.C defined 
by the rule: 

ec(x) -»• xe 

Its termination can be checked by core CPO by taking C > L and c >jr e. Indeed, 
ec(x) > T xe holds by (@>) since c(x) > T xe for r(c(x)) = C > r(xe) = L and, by (X b @), 
c(x) > x by (J r b>), and c(x) > e by (T b >). 


5.2. Tightness of core CPO. In this section, we show that almost all possible relaxations 
(by replacing > T by >, and > by > x ) of the above definition lead to non-termination by 
providing appropriate examples that are also meant to help understanding how CPO works. 
To this end, we will consider three different systems, using o : * to declare a sort o: 

SI: o : *; a : o, f 1 : o -* o, g : o -*■ o -> o; a >jr f >jr g. 

S2: o,o' : *; a:o, f^o -»• o, j 1 :(o' -»• o -*■ o) -*■ o; a >^f >t]■ 

S3: o : *; a : o, h 2 : o -> o -> o, k 2 : (o -> o) -> o -> o; a >? h ^ k; stat(h) = stat(k) = mul. 

For each rule, we now consider all its natural relaxations. 

• (JF^) f (t) > x v if (3 i)ti > T v 

— Replace > T by > x . Then, in HU we have: 

(1) f(a) > T (Axf(x))a since r(f(a)) = o > r((Axf(x))a) = o and, by [Ti ,@): 

(a) f(a) > Axf(x) since, by (J^A), x i FV(f(a)) and 

(i) f(a) f(x) since, by relaxing (J~b>): 

a f(x) since r(a) = o > r(f(x)) = o and, by (Xb>) , a x by 
(FbX), 

(b) f(a) > a by (X b >). 

(2) (Xxf(x))a > T f(a) since r((\xf(x))a) = o > r(f(a)) = o and by (@/3). 

— Replace > T by >. Then, in SJTJ we have: 

(1) f(a) > r (Axf(x))a since r(f(a)) = o > r((Axf(x))a) = o and, by (JFf,@): 

(a) f(a) > Axf(x) since, by relaxing (Xb>): 

(i) a > Axf(x) since, by (TbX), x i FV(a) and 

a f(x) and, by (Tb>), a x by (T b X) 

(b) f(a) > a by {X b t>). 

(2) (Axf(x))a > T f(a) since r((Aj;f(a:))a) = o > r(f(a)) = o and by (@/3). 

• i^b-) f (t) > x g(u) if f g, f (t) > x u and t (> T ) sta t(f) u 

— Replace > T by > x . Then, in EJTJ we have: 
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(1) f(a) > T (Axf(x))a since r(f(a)) - o> r((Axf(x))a) = o and, by 

(a) f(a) > Axf(x) since, by (J- b A), x i FV(f(a)) and: 

(i) f(a) f(x) since, by relaxing (J- b —): 

f(a)> w iby (F b X), 

a >\- x ^ x since r(a) = o > r(x) = o and by (J- b X), 

(b) f(a) > a by {T b t>), 

( 2 ) (Axf(x))a > T f(a) since r((Axf(x))a) = o > r(f(a)) = o and by (@/3). 

— Replace > T by >. We found no counter-example for this case, but this is due to the 
condition f(t) > A u. If we consider mul) and (JF{,=lex) instead, then simple counter¬ 
examples like the following one in 33 come up. 

(1) h(a, a) > T k(Axh(x,x))a since r(h(a, a)) = o > r(k(Axh(x,x))a) = o and, by relaxing 
(,F&=mul), {a, a} (>) mu i {Axh(x, x), a}, since a > Axh(x,x), by case (T b A) because 
a x by case 

( 2 ) k(Axh(x,x))a > T (Axh(x,x))a since r(k(Axh(x, x))a) = o > r((Axh(x, x))a) = o and 

by case since 

(a) k(Axh(x,x))a > Axh(x,x) by 

(b) k(Axh(x,x))a > a by (F b >). 

(3) (Axh(x,x))a > T h(a,a) since r((Axh(x,x))a) = o > r(h(a,a)) = o and by (@/3). 

Note that this counter-example can be also applied on case (J- b — lex) if we take stat(h) = 
stat(k) = lex. Unfortunately it does not work on {T b —) since we cannot prove h(a,a) > 
Axh(x, x). 

(@>) tu > x v if t > x v or u > x v 

— Replace > x by >' V . Then, in 3U we have: 

(1) f(a) > T gaa since r(f(a)) = o> r(gaa) = o and, by (JF fe @): 

(a) f(a) > ga since, by (JF b @): 

(i) f(a) > g by (X h .), 

(ii) f(a) > a by (X b >), 


(b) f(a) > a by l(a)ii 

(2) gaa > T (Axf(x))a since r(gaa) = o > r(( Axf(x))a) = o and, by (@=): 

(a) ga > T Axf(x) since r(ga) = o -> o > r(Axf(x)) = o -> o and, by relaxing (@>): 

(i) a > Axf(x) since, by (J- b A): 

a f(x) since, by {!F b >), a x by (T b X), 

(3) (Axf(x))a > T f(a) since r((Axf(x))a) = o > r(f(a)) = o and by (@/3). 

(@=) tu > x t'u! if if t = t' and u > x u r , or tu t' and tu u r , 

where tu v if t > x v or u > x v or tu > x v tu (> r ) mu l t'u '■ 

— Replace tu > x t' by tu > x t' . Then, taking t : o -> o, we get tu > T tu since, by relaxing 
(@=), we have tu > t by (@>). 

— Replace tu > x t' by tu > x t' . Then, taking t ■ (o -> o) -+ o, we get tu > T tu since, by 
relaxing (@=), we have tu > u by (@>). 

— We found no counter-example yet for the other cases. 

(@A) tu > x A yv if tu > x v*, r(y) = t(z) and z fresh 

— Replace > x by > Xu 't 2 l. Then, in fJTJ we have: 

(1) f(a) > T gaa since r(f(a)) = o> r( gaa) = o and, by (tF b @): 

(a) f(a) > ga since, by (tF b @): 
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(i) f(a) > g by {F b >), 

(ii) f(a) > a by (F b >), 


(b) f(a) > a by l(a)ii 

(2) gaa > T (Axf(x))a since r(gaa) = o > r((Axf(x))a) = o and, by (@=): 

(a) ga > T Axf(x) since r(ga) = o -*■ o> r(Axf(x)) = o -*■ o and, by relaxing (@A): 

(i) ga f(x) since, by (@>): 

a >( x } f(x) since, by (F b >), a x by (F b X), 

(3) (Axf(x))a > T f(a) since r((Axf(x))a) - o> r(f(a)) = o and by (@/3). 

(A>) A xt > x v if tx > x v, t(x) = r(y) and y fresh 

— Replace > A by > x . Then, in 921 we have: 

(1) f(a) > T j(AxAya) since r(f(a)) = o > r(j(AxA?/a)) = o and, by (, F b > ): 

(a) f(a) > XxXya since, by (F b X) twice: 

(i) f(a) > {x ' y } a by (JF b >), 

(2) ](XxXya) > T (Azf(z))a since r(j(A:rAya)) = o > r((Azf(z))a) = o and, by (F b @): 

(a) j(XxXya) > Xzf(z) since, by (F b >): 

(i) XxXya > T Azf(z) since r(XxXya) = o' -*■ o -*■ o > r(Azf(z)) = o -*■ o and, 
by relaxed (A>), x £ FV(Azf(z)) and: 

Xya > Azf(z) since, by relaxed (A>), y $ FV(Azf(z)) and a > Azf(z) 
since, by (F b X), a f(z) since, by (F b >), a z by (F b X), 

(b) }(XxXya) > a since, by (F b >): 

(i) XxXya > T a since r(XxXya) - o' -*■ o -> o > r(a) = o and, by (A>), 
x £ FV(a) and: 

Xya > T a since r(Aya) = o -> o > r(a) = o and, by (A>)again. 

(3) (Azf(z))a > T f(a) since r((Azfz)a) = o > r(f(a)) = o and, by (@/3). 

(X?) Xxt > x Xyv if Xxt > x v z , r(y) t t(z) and 2 fresh 

— Replace > A by > Au f 2 f. Then, in 921 we have: 

(1) f(a) > r j(AxAya) since r(f(a)) =o> r(j(AxAya)) = o, by (F b >): 

(a) f(a) > XxXya since, by (F b X) twice: 

(i) f(a) > a by (F b >), 

(2) j(AxAya) > T (Azf(z))a since, by (F b @): 

(a) }(XxXya) > Xzf(z) since, by (F b t>): 

(i) XxXya > T Azf(z) since r(XxXya) = o' -*■ o -*■ o > r(Azf(z)) = o -*■ o and, 
by relaxing (A*): 

XxXya f(z) since, by (A>), Xya >\~’ f(z) since r(Aya) = o -*■ o> 
r(f(z)) = o and by (A>) again, a >^ f(z) since r(a) = o > r(f(z)) = 
o and, by ( T b > ), a >z by (F b X), 

(b) j(AxAya) > a since, by (F b >): 

(i) XxXya > T a since r(AxAya) = o' -* o -> o > r(a) = o and, by (A>): 

Xya > T a since r(Aya) = o -> o> r( a) = o and, by (A>) again. 

(3) (Azf(z))a > T f(a) by 


— Remove the condition r(x) t r(y). 

Then, in 9H we have r(Axa) > r(Axb) and Axa > T Xxa by the relaxed (A^) since Axa > a 
by (A>). 
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5.3. Transitivity. As HORPO, core CPO is not transitive (both include /3-reduction which 
is not transitive). Adding transitivity as a rule yields non-termination as shown by the 
following counter-example: 

Example 5.3. In the premises of (J~b@), replace >‘ Y by (> A ) + . Then, in the system £{T| 
described at the beginning of next section, we have: 

(1) f(a) > T (Axf(x))a since T(f(a)) = o > r((Axf(x))a) = o and, by relaxing (JFft@): 

(a) f(a) > + Axf(x) since 

(i) f(a) > a by (J r fe >), and 

(ii) a > Axf(x) by (J^A) since a f(x) by (J~b>) and then {!FbX) 

(b) f(a) > a by (JF fe >). 

(2) (Axf(x))a > T f(a) since T((Axf(x))a) = o > T(f(a)) = o and by (@/3). 

Similar counter-examples can be built as well for (J~b>) and (.F),—), since the key point 
is that, by using (> A ") + , we can apply case {J~b>) without requiring type decreasingness. 

Useful implemented heuristics for under-approximating are discussed in [59]. The 
introduction of small symbols in Section [8] will reduce the need for such heuristics, although 
not completely. On the other hand, we will show soon that core CPO is a well-founded 
relation on terms. So is therefore its transitive closure. 

5.4. Comparison with HORPO. In [59], the last two authors define a relation on simply- 
typed polymorphic A-terms, >horpoj and its extension > c horpo using the notion of computabil¬ 
ity closure introduced in [15] , In this section, we explain the differences between CPO and 
>horpo- We will compare CPO with > c horpo hr Section f7~3l 

• Type discipline. >horpo and > c horpo are relations on polymorphic A-terms, where types 
may contain type variables that have to be instantiated when forming function calls, 
while CPO is a relation on simply-typed monomorphic A-terms. In the following, we will 
therefore compare CPO with the monomorphic versions of >horpo and > c horpo- Extending 
CPO to polymorphic types along the lines of [59] is routine. 

• Relation on types. In [59] , the relation > on types must be a quasi-ordering satisfying 
the following conditional, where > = > \ > _1 is its strict part and ~ = > n > _1 its associated 
equivalence relation: 

(1) > is well-founded; 

(2) T-+U^V implies V = T' -+U' with T x T' and U x U’\ 

(3) T U >V implies U > V or V = T’ ^ U' with T * V and U > U’\ 

(4) T > T’ implies T -+U >T' and U ^T>U -*T'. 

It turns out that these conditions are inconsistent: if T > U then, by (4), T -*■ V > U -*V 
and, by (3), V > JJ -> V, which is impossible by (1) [61]. However, the results of [59] are 
still true since property (4) is only used to build the simplification ordering 50 used for 
defining the interpretation of types. Instead, now, we distinguish between > which must 
contain > r and satisfy (3)/(typ-arrow) ((2) is always satisfied when < is an ordering instead 
of a quasi-ordering), and > which must contain >u>/ and be well-founded. The monotony 
property (4) is not required anymore. 

In [59] . >horpo and > c horpo are proved well-founded not only on well-typed terms but 
on a larger set of terms called candidate terms, obtained by identifying equivalent types. 

^Condition (2) is actually stated there as an equivalence, but its converse follows from (4). 

^Written >^ s in Lemma 3.15 of [591 . 
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Since, by (2), the arrow structure of equivalent types is invariant, the quotient of the 
set of types by ~ can be obtained by simply identifying sorts equivalent in and the 
quasi-order becomes then an order in the quotient structure. Since rewriting on candidate 
terms coincides with rewriting in the quotient, an order on types suffices, which removes 
the need for candidate terms and their technicalities. 

Relation on terms. One important difference between HORPO and CPO is that, in 
all sub-derivations of >horpo; types must decrease (t >horpo u only if T if) ^ T ( u )) while, in 
CPO, this is not the case: types must be checked only in case the recursive call takes a 
subterm of the lefthand side term (except in (@>) for the left argument of an application). 
Indeed, CPO is an optimized version of >horpo i n this respect. 

>horpo is defined by a set of 12 rules and each rule but (9) is implied by a rule of CPO: 
(1) is implied by (Tb>), (2) by (jFb>), (3) by (./-),=) with stat(f) = mul, (4) by (tFb—) with 
stat(f) = lex, (5) by (@>), (6) by (A>), (7) by (8) by (JFb A) (HORPO requires the 

strong condition x i FV (v) since it does not manage bound variables; this is however done 
by the computability closure in CHORPO), (10) by (A=), (11) by (@/3) and (12) by (A?/). 

Rule (9) compares st and u\...u n with n > 2 by comparing the multisets {s,t} and 
{ill, • • •, tin}- It is implied by (@=). Indeed, in this case, for all i, either s > T Ui or f > T u*. 
If there is no i such that s = Ui then, for all i, s > T Ui or t > T Ui, in which case one can 
prove that st > T u\... Uk by induction on k. If s = u\ then, for all i > 2, t > T Ui, in which 
case one can also prove that st > T u\... Uk by induction on k. Otherwise, there is i > 1 
such that s = Ui and t > T u\. But, then, t(s) > r(t) > t(u\) > r(s), which is not possible 


by (typ-sn) 


On the other hand, the CPO rules (A^), (@A), (@A), (AT) have no counterpart 

in HORPO. Therefore, HORPO is strictly included in CPO. 


5.5. Implementation. All examples given in the paper have been checked by our imple¬ 
mentation, which is available from the web at http://www.lsi.upc.edu/~albert/cpo.zip. 
In this implementation the precedence and the status should be provided by the user. The 
implemented prototype includes core CPO as well as the extended versions of the ordering 
defined in Section [3 and [ 8 j Several more examples are also included together with the imple¬ 
mentation showing the power of the developed orderings. However, like RPO, CPO cannot 
be compared with transformation techniques based on, for instance, the computation of de¬ 
pendency pairs 0 02 ), but its power shows that it should be the path ordering of choice for 
solving the (monotonic) ordering comparisons which are generated by these transformation 
techniques. 

Given a precedence and a status for every function symbol, deciding if a term s is smaller 
than a term t in core CPO can be made in quadratic time (using a dynamic programming al¬ 
gorithm) if (@/3) is not used. The proof is basically the same as for RPO [ 66 ]. Our prototype 
implementation written in Prolog does not use dynamic programming. Still, some standard 
optimizations over the given presentation are made, which mainly affect case (J-b ~)• Let us 
split this case in two new cases, one for multiset status (J-b~ mul) and one for lexicographic 
status (JFft—lex), and show that even after removing all or part of the condition f(f) u, 
the conjunction of both cases is equivalent to the original one. 

(Jft-mul) f(t) g(u) if f g, stat(f) = mul and t (> T ) mu iu 
{Tb~= lex) f(t) > A g(u) if f g, stat(f) = lex and: 

(3i) ti > T Ui a (V j < i ) tj = Uj a (Vj > %) f (?) Uj 
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In case (.F),—mill), t(> r ) mu iu implies that, for every Uj , there is ti such that ti > T uj, which 
implies that f(t) Uj by (J~b>). Similarly, in case (.F),—lex), there is i such that fi > T Ui , 
(Vj < i)tj = Uj and (V) > i)f(t) > A Uj , which implies (Vj)f(t) itj by (F&o). Therefore, 
we have f(t) it and hence case (Fh=) can be applied as well. 

As said, our implementation assumes that the precedence on function symbols and the 
status is given. Generating the precedence and the status automatically is a harder problem, 
and closely relates to the decision problem of solving ordering constraints, which is already 
NP-complete for RPO j76l[75j . but which is nowadays efficiently done in practice by encoding 
the problem into SAT |26| . These kind of encodings can be easily adapted to CPO, as done 
for HORPO in termination tools like WANDA [63] and THOR [23]. 

6 . Well-foundedness of core CPO 

We now move to a technical analysis of the most important properties of core CPO. 

6.1. Basic properties of core CPO. 

Lemma 6.1. is well-defined. 

Proof, a > x b is well-defined by induction on the pair (a, b ) with (= a t> u u =Q,[>)iex as 
well-founded relation, where < is the subterm relation. □ 

Definition 6.2 (Monotony). We say that > T is monotone if the following properties hold: 

(1) if fl-^l : T -*■ U, t : T, t ': T and t (> r ) proc i t', then f (?) > T f(?); 

(2) if t : U -*■ V, t' ■ U -»• V', t > T t ', u : U and V > V', then tu > T t'u; 

(3) if t : U -*■ V, u,u':U and u > T u r , then tu > T tv! \ 

(4) if t : T, t ': T', t > T t! and t(x) -> T > r(x) -*■ T', then Xxt > T A xt'. 

Lemma 6.3. > T is monotone. 

Proof. 

(1) Since r(f(i)) = r(f(t / )), it suffices to check that f(?) > f (t'). By Lemma f 1.11 1 (> r ) s tat(f) t'■ 

By f(t) > t' since, for each i, ti > T t\. We conclude by [Tb—)- 

(2) Since r{tu) > r(t'u), it suffices to check that tu > t'u. This follows by by (@=). 

(3) Since r(tu) = r(tu'), it suffices to check that tu > tu'. This follows by (@=). 

(4) By (A=). □ 

Note that Lemma [6.31 holds for any relation satisfying (JT fc >), (Pb=), (@=) and (A=). 
Lemma 6.4. If a > x b, then FV( 6 ) 9 FV(a) u X. 

Proof. By an easy induction on a > x b. We detail a selection of cases: 

• (JF 5 A) By the induction hypothesis, F X(Vy) £ FV(f(t)) u X u {y}. Now, FV(Ayu) = 
F X(Vy) \ {z} since z is fresh. The result follows. 

• (A>) By the induction hypothesis, FV(u) £ FV(f^)uA. Therefore, FV(u) 9 FX(\xt)uX 
since FV(t^) 9 FV(Axt) u {z} and z £ FV(u). 

• (A—) By the induction hypothesis, FV(td) £ FV(t^) u X. Now, FV(t^) c FV(A xt) u {z} 
and, either y e FV(u) and F V(v*) = FV(A yv) u {z}, or FV(u^) = FV(A yv). Therefore, 
FV(A yv) 9 FV(A xt) u X since z i FV(A yv). 

• (A*) By the induction hypothesis, FV(t^) £ FV(A xt) uX. Since 2 is fresh for Xxt, X and 

Xyv, y FV(u). Therefore, FV(Ayu) = FV(u) - {y} c FX(Axt) u X. □ 
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Lemma 6.5. If a > x b, a = a o! and b = a b', then a' > x b'. 

Proof. We prove (i) a > x b and a = a a' implies a' > x b, and (ii) a > x b and b = a b' implies 
a > x b', separately by induction on a > x b. We only detail some cases: 

• (J-&A) (ii) Assume that A yv = a b'. Then, there are y' and v' such that b' = A y'v', y $ 
FV(A y'v') and v = a v' v y ,. Hence, v z = a v 'y' y = a v 'y r and, by the induction hypothesis, 

f(?) > Xu W v’yi. Now, 2 i FV(A y'v') uFV(f(i)) since FV(A y'v') = FV(A yv) and z 
FV(A yv) uFV(f(t)). Therefore, by (JF b A), f(t) >" Y A y'v'. 

• (A>) (ii) Assume that v = a v'. By the induction hypothesis, t z x > x v'. Now, z is fresh for 
A xt, X and v' since FV(i/) = FV(u) and z is fresh for Xxt, X and v. Therefore, by (At>), 
A xt > x v'. 

(i) Assume now that Xxt = a a'. Then, there are x' and t' such that a' = Xx't', x $ 
FV(A x't') and t = a t' x x ,. Hence, t z x = a t' x P x = a t' x i and, by the induction hypothesis, 
t' x i > x v. Now, z is fresh for Xx't', X and v since FV(Ax , t / ) = FV(Axf) and z is fresh for 
Xxt, X and v. Therefore, by (A>), Xx't' > x v. 

• (A=) (ii) Assume that A yv = a b'. Then, there are y' and v' such that b' = A y'v', y j- 
FV(A y'v') and v = a v' yl . Hence, v z = a v 'y’ y =a v' z y , and, by the induction hypothesis, 

t x > x v'yi. Now, z is fresh for Xxt, X and A y'v’ since FV(Ay , ^' , ) = FV(Ayw) and z is fresh 
for Xxt, X and A yv. Therefore, by (A=), Xxt > x X y'v'. 

• (A*) (ii) Assume that A yv = a b'. Then, there are y’ and v' such that b' = X y'v', y' 

FV(A yv) and v y = a v'. By Lemma 1(01 y $ FV(u). Hence, y' £ FV(^^ , ), v z = a v' z y i and, 
by the induction hypothesis, Xxt > x v'y>. Moreover, z is fresh for Xxt, X and A y'v’. 
Therefore, by (A*), Xxt > x Xy'v'. □ 

Hence, if t > x u and V is a finite set of variables, then one can always assume without lost 
of generality that the bounding variables of t and u do not belong to V. 

Invariance by variable renaming can also be extended to X: 

Lemma 6.6. Assume that t > x u. 

(1) If a is away from X, then ta > x ua. 

(2) If e e X, e! FV(Aeu) and r(e) = r(e'), then t > x_ { e } u f e '} . 

Proof. Note that substitution preserves typing (r(ta) = r(t)). Let A| = X - {e} u {e'}. 
Wlog we can assume that e =£ e'. Hence, el $ FV(n). We now proceed by induction on the 
deduction height of t > x u. We only detail some cases: 

(1) (JF ft —) By induction hypothesis and Lemma [4.11 (Vi) f (t)a > x Ui& and ta (> T ) s tat(f) ua. 
Therefore, by (Jt,=), f (t)a > X g (u)a. 

(Py A) Wlog we can assume a away from {y}. Hence, ( Xyv)a = Xy(va). Let now z' be a 
variable of the same type as z, fresh for f(f)er, X, Xy(va) and A zv z = a A yv, and 

such that a is away from {z'}. By induction hypothesis (2), f(?) >( Xu { z ))z (y z ) z . 
Since z $. X, (X u {z}) z =Iu {z '}. Since ( z ) is away from {y} and z £ FV(u), 
( Vy)l = v z . By induction hypothesis, f (t)a > Xu i z 1 (y z )a. Since a is away from 
{y,z'}, ( Vy)a = (va)y . Therefore, by (^A), f(?)cr Xy(va). 

(A>) Wlog we can assume that a is away from {x}. Hence, (Xxt)a = Xx(ta). After 
Lemma 16.41 and since a is away from X, FV(u) £ FV(Axt). Hence, we can also 
assume wlog that dom(er) c FV(Axf). Let now z' be a variable of the same 
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type as z, fresh for Xx(ta), X , va and x, and such that a is away from {z'}. Let 
a' - cru{( 2 :, z')}. Since a' is away from X, by induction hypothesis, (t z )a' > x va'. 
Since dom(cr) £ FV(Axf) and er is away from {x,z'}, ( t z x )a' = ( ta) z x , and since 
z i FV(u), va' = va. Therefore, by (A=), Xx{ta) > x va. 

(A—) Wlog we can assume that a is away from {x,y}. Hence, ( Xxt)a = Xx(ta) and 
(Xyv)a = Xy{va). After Lemma 16.41 and since a is away from X, FV(A yv) £ 
FV(Axf). Hence, we can also assume wlog that dom(<r) £ FV(A xt). Let now 
z' be a variable of the same type as z. fresh for Xx{ta), X , Xy{va), x and y, 
and such that a is away from {z 1 }. Let a' = a u {( z,z , )}. Since a' is away 
from X, by induction hypothesis, ( t x )a' > x (v z )a r . Since dorn(s) c FV(Axt), 
dom(fj) £ FV(Ayu), and a is away from {x,y,z'}, ( t z )a' = ( ta) z x and (v z )a r = 
( va)y . Therefore, by (A=), (A xt)a > x ( Xyv)a. 

(A*) Wlog we can assume a away from {x,y}. Hence, ( Xxt)a = Xx{ta) and (Xyv)a = 
Xy{ya). Let z' fresh for A xta, X and A yva. By Lemma T6.41 y £ FV(u), hence v z = 
Vy . By induction hypothesis, (A xt)a > x v z a. Therefore, by (A4), Xx{ta) > x 
X y{va). 

(2) (J-/A) Wlog we can assume (® ) away from {y}. Hence, (A yv)% = At/(v| ). Let now z' be 
a variable of the same type as z, fresh for f(f), X% , Ay(w| ), A zv z = a Xyv and y. 

By induction hypothesis, f(t) (v z ) z . Since z i X, (Ju{ z})f = Xu{z'}. 

Since z i FV(A yv), (v z ) z = v z . By induction hypothesis, f(t) >( Xu f z })« (v z ’)g. 
Since (f) is away from {y,z'}, (X u {z'})f = Xf u {/} and (v*')®' = «')*'. 
Therefore, by (JF b A), f (t) > x ® A yvf. 

(A>) Let z' be a variable of the same type as z, fresh for A xt, X, X e e , v e e and x. Since 

( z ) is away from X, by induction hypothesis (1), (t x ) z z > x v z . Since z' ± x and 

z i FV(f), {t x ) z z = t x . Since z £ FV(u), v z = v. So, by induction hypothesis, 

! , 

t x >r e vf. Therefore, by (A>), Xxt> x * v^'. 

(A—) Wlog we can assume ) away from {y}. Hence, (A yv)l = Xy(v^ ). Let now 

z' be a variable of the same type as z, fresh for Xxt, X, X% , Xyv% , x and y. 

Since ( z z ) is away from X, by induction hypothesis (1), (t z ) z > x (v z ) z . Since 

z' # x and 2 i FV(f), (t x ) z = t x . Since z' t y and z £ FV(u), {y z ) z = v z '. 

So, by induction hypothesis, t z > Ae {v z )® . Since (® ) is away from {y,z'}, 

(Vy)e = (Ve)y- Therefore, by (A=), Xxt > x « A y(v e e ’). 

(A*) Wlog we can assume (® ) away from {y}. Hence, (A yv)% = Xy(v^. ). Let z' fresh for 
Xxt, X e e and A y{y\ ). By Lemma I6/T1 y £ FV(u), hence v z = v z . By the induction 

hypothesis, Xxt > A = ( v z )%' = {v^) z . Therefore, by (A*), A xt> x * Xy{vf). □ 


6.2. Tait and Girard’s computability. We now turn to the proof that > T is well-founded. 
This proof is based on the meticulous analysis of the technique of computability predicates of 
Tait and Girard for proving the termination of /3-reduction in typed A-calculi [831 !45l l84l [46] . 
This technique consists in the following three steps: 

(1) interpret each type T by a set |[T] of so-called computable terms; 
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(2) prove that, for every type T, [T] satisfies some properties among which termination, he. 
[T]c S N(> t ); 

(3) prove that every (well typed) term is computable. 

For arrow types, we will use the standard interpretation but, for sorts, we a priori have 
some freedom and we will indeed use this freedom to extend CPO to inductive types later 
in Section 0 

Definition 6.7 (Computability). A base type interpretation is a map I : S -*■ V(C) such 
that, for all sorts A, /(A) is a set of terms of type A. A base type interpretation naturally 
extends to types as follows: 

• [A]/ = /(A) 

• P VI/ = {t e £ 1 1 : U -* V a (Vu)u e [t/flj =► tu e [V]]/} 

Given a base type interpretation /, we say that: 

• a term t : T is I-computable if t € [TJ/; 

• a substitution a is /-computable on a set X of variables if, for all x e X, xa is /-computable; 
it is /-computable if it is /-computable on A; 

• a function symbol f^ T l : T =► U is /-computable if, for all /-computable terms i : T, f(t) is 
/-computable. 

Let £ j be the set of pairs (f, t) such that f € T, f (t) is a term and t are /-computable. Given a 
relation on terms R, let (>jf, /?stat)lex be the relation on £/ such that (f, t) (>p, R s tat)lex (g, u) 
if either f > r g, or f ^ g and t /2 stat (f) 

Our first lemma has a straightforward proof: 

Lemma 6.8. Let I\ and I 2 be two base type interpretations, and T be a type. Then, [TJ/j = 
|TJ / 2 if I\ and I 2 agree on every sort occurring in T. 

We then consider the following properties: 

Definition 6.9 (Sets of neutral terms). A set Af is a set of neutral terms if it satisfies the 
following properties: 

• i'cA (neutral-var) 

• for all x,t,u, (Xxt)u e Af (neutral-beta) 

• if t e Af then, for all u, tu e Af (neutral-app) 

• for all x and t, A xt $. Af (neutral-not-lam) 

Definition 6.10 (Computability properties). Given a base type interpretation I and a set 
Af of neutral terms, a set S of terms of type T is an I-computability predicate if it satisfies 
the following properties: 

• Sc SN(> r ) (comp-sn) 

• If t € S, then every > T -reduct of t is /-computable (comp-red) 

• t 6 S if t: T, t € Af and every > T -reduct of t is /-computable (comp-neutral) 

• A xt e S if T = U -> V, A xt: T and, for all u e [U]/, tf is /-computable (comp-lam) 

We can then prove that every term is strongly normalizing if the sets |T]]/ satisfy 
some of these properties and function symbols are /-computable, whatever the base type 
interpretation I and the set Af of neutral terms are: 

Theorem 6.11. Given a base type interpretation I and a set Af of neutral terms, > T is 
well-founded if: 
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• for every type T, fT]/ satisfies (comp-sn), (comp-neutral) and (comp-lam); 

• every function symbol f t iF is I-computable. 

Proof. Because, for every T, fT]/ satisfies (comp-sn), it suffices to prove that every term is 
/-computable. By (neutral-var), variables belongs to Af. Because, for every T, [T]/ satisfies 
(comp-neutral), variables are computable. Hence, the identity substitution is computable. 
We then prove that, for all t - T and computable a, ta e fT]/, by induction on t. 

• t = x. Then, ta = xa is computable since a is computable. 

• t = uv. By induction hypothesis, ua and va are computable. Therefore, ta = ( ua){ya ) is 
computable. 

• t = A xu with x : V. By renaming x, we can assume that a is away from {x}. Hence, ta = 
A x(ua). By assumption, [T]/ satisfies (comp-lam). Therefore, ta is computable if, for all 
computable v ■ V, ( ua is computable. Since a is away from {x}, ( ua )" = u(a u{(x,u)}) 
which is computable by induction hypothesis. 

• t - f(t) with fl T l :T -*■ U. By induction hypothesis, ta are computable. Thus, (f,fcr) e £ 

and, by assumption, f(f)cr is computable. □ 

We are therefore left to find a set of neutral terms J\T and a base type interpretation I so that 
type interpretations are computability predicates and function symbols are computable. 

First, we are going to study under which conditions the interpretation of an arrow type 
U -»■ V, ft/ ->■ V\i, satisfies the above computability properties, whatever the base type 
interpretation I and the set of neutral terms Af are. 

Second, we will define a set of neutral terms Af and a base type interpretation I so that, 
for every type T, [T] / satisfies all the computability properties. Finally, we will prove that 
function symbols are computable by induction on (>jr, (> r ) s tat)iex> which is well-founded 
when the following conditions are satisfied: 

Lemma 6.12. Given a base type interpretation I and a well-founded relation on I-computable 
terms R, (>^,/? s tat)iex well-founded if, for all : T -> U, fT]/ £ SN(/?). 

Proof. If (f, t) e £/, then t e [T]]/. By assumption, \T}i £ SN(/?). Hence, by Lemma ITT! 
t e SN(/2 stat ( g )) whatever g is. Assume now that there is an infinite (>jf, /? s tat)lex-d ecr easing 
sequence (U,ti)i>o- Then, (fj)j>o is an infinite ^-decreasing sequence. Since >j? is well- 
founded by assumption, there must be some j such that, for all i > j, fj ^ f ). Since symbols 
equivalent in have the same status by assumption, (tj)j>j is an infinite //.^(f^-decreasing 
sequence, a contradiction. □ 

6.3. Computability properties of arrow types. In this sub-section, the results hold for 
any base type interpretation / and any set of neutral terms Af. For the sake of simplicity, 
we drop the index I in [TJ/ and simply write [T]. 

Lemma 6.13. \U -» satisfies (comp-sn) if: 

• ft/] t 0, which is the case if [t/] satisfies (comp-neutral); 

• [V] satisfies (comp-sn). 

Proof. Assume that there is an infinite reduction sequence to > T t\ > T ... with to e ft/ ->• V] 
and tj : Tj. By definition of \U -* V], To = U -*■ V. By definition of > r , To > T\ > ... By 
assumption, ft/] / 0. So, let u € ft/]. By definition of ft/ -> V], we have tou e [V]. We now 
prove that there is an infinite reduction sequence starting from tou. Since fV] is assumed 
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to satisfy (comp-sn), this is not possible. Therefore, [17 17]] satisfies (comp-sn) too. By 


□ 


Vj ,t:U^V. By 


(typ-arrow) there are only two cases: 

• For all i, Ti = U -+ Bi for some B{. By monotony (Lemma 16.30 . t$u > T t\u > T ... 

• There is i such that Tj+i is a sort or Tj+\ = Ai+\ -»■ Bi + 1 with Ai+\ t U. Let k be the 

smallest i satisfying this condition. Hence, for all i < k, there is Bi such that T* = U -+ Bi. 
By monotony (Lemma 16.3] . t^u > T ... tkU. By (typ-arrow) we have Bk > T^+i- Hence, by 
(@>), t k u > T 4+1. 

Lemma 6.14. [17 -> 17]] satisfies (comp-red) if: 

• [17] ± 0, which is the case if [17] satisfies (comp-neutral); 

• [17] satisfies (comp-red). 

Proof. Let t e [17 —> 17]] and t ': T' such that t > T t r . By definition of [17 
definition of > T , U 17 > T'. By (typ-arrow), there are two cases: 

(1) 17 > T'. By assumption, [17] t 0. So, let u e [17], By definition of [17 -> 17], tu e [17]. 

By (@t>), we have tu > T t'. Therefore t' e [T'] since [17] satisfies (comp-red). 

(2) T' = 17 -> 17' and 17 > 17'. Let u e [17]. By monotony (Lemma 16.31) . tu > T t'u. By 

definition of [17 -* 17], tu e [17], Since [17] satisfies (comp-red), t'u e [17']. Therefore, 
f'elT']. □ 

Lemma 6.15. Let t:U->V and w-U. Then, every > T -reduct of tu is computable if: 

• every > T -reduct oft is computable; 

• u is computable; 

• if t = Xxv, then vf is computable; 

• for all v! such that u > T u', tu' is computable; 

• [17] satisfies (comp-red); 

• [V] satisfies (comp-red); 

• [17 r ] satisfies (comp-lam) whenever V' < 17. 

Proof. We prove that every w '■ W such that tu > T w is computable, by induction on |zn|. By 
definition of > T , we have V > W. 

• (@>) 

— t > w. By (typ-right-subterm) 17 -> 17 > 17. Hence, by transitivity, U V > W and 
t > T w. Therefore, w is computable by assumption. 

— u> T w. Then, w is computable since, by assumption, u is computable and [17] satisfies 
(comp-red). 

• (@=) w = t'u' and either: 

— t = t' and u > u ', in which case t'u is computable by assumption since u > T u'\ 

— or tu t' and tu u'. We prove that, for v e {t',u'}, if tu >@ v then v is computable. 
There are three cases: 

* t > T v. Then, v is computable by assumption. 

* u > T v. Then, either u = v and v is computable by assumption, or u > T v and v is 
computable since u is computable and [17] satisfies (comp-red). 

* tu > T v. Then, since v e {t',u'}, v is computable by induction hypothesis. 

• (@A) w = A yv, tu > v and y £ FV(w) by Lemma 16.41 Then, there are A and B such that 
W - A -> B. By (typ-right-subterm) W > B. Hence, by transitivity, V > B and tu > T v. 
Thus, by induction hypothesis, v is computable. Since [IF] satisfies (comp-lam), w is 
computable if, for all computable term a : A, Vy is computable. Since y FV(u), = v. 
Therefore, w is computable. 
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• (CD-T) Impossible. 

• (@/3) t = Xxv and v “ > 0 w. Since t((Xxv)u ) = t(u“), we have vf > T in. Thus in is 

computable since vf is computable and [17] satisfies (comp-red). □ 


Lemma 6.16. Let t:U->V and u-U. Then, tu is computable if: 

• every > T -reduct oft is computable; 

• u is computable; 

• if t = Xxv, then vf is computable; 

• either t is neutral or t = Xxv; 

• [17] satisfies (comp-red) and (comp-sn); 

• [V] satisfies (comp-red) and (comp-neutral); 

• [V 7 ] satisfies (comp-lam) whenever V' < V. 


Proof. We prove that tu is computable by induction on u with > T as well-founded relation 
([17] satisfies (comp-sn) by assumption). So, by induction hypothesis, for all v! such that 


it u 


tu' is computable. Hence, by Lemma 16.151 every 


reduct of tu is computable. 

Xxv 


Now, tu is neutral because, either t is neutral and tu is neutral by (neutral-app) or t 

Therefore, tu is computable since [17] satisfies (comp¬ 


and tu is neutral by (neutral-beta) 
neutral). 


□ 


Corollary 6.17. [17 -*■ 17] satisfies (comp-neutral) if: 

• [17] satisfies (comp-red) and (comp-sn); 

• [V] satisfies (comp-red) and (comp-neutral); 

• [17'] satisfies (comp-lam) whenever V' < 17. 


Proof. Let 1 be a neutral term of type U -*■ V such that every > T -reduct of t is computable. 
By definition, i e [17 ->■ V] if, for all computable it: 17, tu is computable. Since t is neutral, 
by (neutral-not-lam), t is not of the form Xxv. Therefore, by Lemma [6.161 tu is computable 
since all the required properties are satisfied. □ 


Lemma 6.18. Let x : U and v : 17. Then, Xxv is computable if: 

• for all computable w-U, vf is computable; 

• [17] satisfies (comp-sn) and (comp-red) and contains a variable, which is the case if it 
satisfies (comp-neutral) too; 

• [V] satisfies (comp-sn), (comp-red) and (comp-neutral); 

• [17'] satisfies (comp-lam) whenever V' < 17. 

Proof. By definition, Xxv is computable if, for all computable it: U, (Xxv)u is computable. 
By Lemma 16.161 (Xxv)u is computable if every > T -reduct of Xxv is computable, the other 
conditions being satisfied. Since [17] contains a variable, we can wlog assume that this is 
x. So, vf. - v is computable. Since [17] satisfies (comp-sn), v e SN(> r ). We now prove that 
every > T -reduct w ■ W of Xxv is computable, by induction on (v, |io|) with (> r ,>N)lex as 
well-founded relation. By definition of > T , we have U -> 17 > 117. 

• (A>) v > T w. Since v is computable and [V] satisfies (comp-red), we have w computable. 

• (A=) w = Xxb and v > b. Then, there is B such that W = U B. Since U -*■ 17 > W, by 
Lemma F2.41 we have V > B. Hence, v > T b. Thus, by induction hypothesis, every > T -reduct 
of Xxb is computable. By Lemma. [6. 1 61 to prove that Xxb is computable, it suffices to check 
that, for all it : 17 computable, bf. is computable. By assumption, vf is computable. By 
stability by substitution (Lemma [I]), vf > T bf. Therefore, 6“ is computable since [17] 
satisfies (comp-red) by assumption. 
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(A*) w = Xyb, t(x) 4- t(u), Xxv > b and y £ FV(i>) by Lemma 16.41 Then, there are A and 
B such that W - A -*■ B. Since U 4- A, by (typ-arrow) V > W. Since, by assumption, [WJ 
satisfies (comp-lam), it suffices to prove that, for all computable a : A, 6“ is computable. 
Since y i FV( 6 ), by = b. By (typ-right-subterm) U -> V > V and W > B. Hence, by 
transitivity, U -> V > B and Xxv > T b. Therefore, since |ie| \b\, by induction hypothesis, 
b is computable. 

(AT) w e 0 . Impossible. 

( A77) v = ax, a > w and x $. FV(a). Since r( Xxv) = r(a), we have a > T w. Let u : U 
computable. We have au = v% computable by assumption. Therefore, a is computable. 
By Lemma [6.141 [F -* VJ satisfies (comp-red) since [17] t 0 and [V] satisfies (comp-red). 
Therefore, w is computable too. □ 


Corollary 6.19. \U -*■ V]] satisfies (comp-lam) if: 

• [[[/] satisfies (comp-sn), (comp-red) and (comp-neutral); 

• JH] satisfies (comp-sn), (comp-red) and (comp-neutral); 

• [V 7 ] satisfies (comp-lam) whenever V' < V. 


I 11 conclusion, we can see that \U -> V}j is a computability predicate if so are lUjj and 
[H , J/ for all V' < V. Therefore, if we can define a base type interpretation I so that, for every 
sort A, /(A) is a computability predicate then, for all type T, [T]/ will be a computability 
predicate. 


6.4. Well-foundedness of core CPO. We now define a set of neutral terms J\f and a base 
type interpretation / for proving the well-foundedness of core CPO. 


Definition 6.20 (Neutral terms for core CPO). Let M be the smallest set of terms contain¬ 
ing the terms of the form f(t) and closed by (neutral-var), (neutral-beta) and (neutral-app). 


One can easily check that M satisfies all the properties of Definition 16.101 
In contrast with the usual practice, but as in |59j . our interpretation of sorts is not the 
set of strongly normalizing terms of that sort. To define the base type interpretation I, we 
proceed by induction on > which is well-founded by (typ-sn) So, let A be a sort and assume 
that I is defined for all sorts B < A. Then, let /(A) be the least hxpoint of the monotone 
function Fa defined as follows: 


Fa(S) = {t € C 1 1: A a (Vu)(V£7) t> T uAu:U =>ue [[f/]z u {( A , l S')}} 

We now prove that F/\ is indeed well-defined and monotone. Then, by Knaster and 
Tarski’s fixpoint theorem [85] . Fa admits a (least) hxpoint. 

Lemma 6.21. Fa is well-defined. 

Proof. The recursive call to [FJ/u^a.S)} i s well-defined because, by definition of > T , we have 
A >U. Hence, by Lemma [231 Sort<A (U). □ 

Lemma 6.22. Fa is monotone. 

Proof. Let S £ S', J - I u {(A, S)}, J 1 = I u {(A, S')} and t e Fa( 5). Then, (1) t : A and 
(2) (Vrt)(VF) t > T u /\ u '■ U => u € ][F] j. Now, we have t e F/\(S') because t satisfies (1) 
and (2) with S replaced by S'. Indeed, assume that t > T u and u : U. By (2), u € [F] j. By 
definition of > T , A > U. If A = U, then u € [F] j< since u e [FJ j = S £ S' = [FJ j’. Otherwise, 
by Lemma [231 Sort<;A(F). Therefore, by Lemma [6781 \U\j = [F]j' and u 6 [F] jr. □ 
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Note that the least fixpoint of F A can be reached by transfinite iteration of F A from 0 
mm, that is, there is an ordinal a, such that /(A) = F^(0) where: 

• F° a (S) = S 

. F“ +1 (F) = F A (F“(S)) 

• F£(S) = UtKaF^S) if a is a limit ordinal 

We now check that type interpretations are computability predicates. 

Lemma 6.23. Given a sort A, [[A] satisfies (comp-red), (comp-neutral) and (comp-lam). 
Proof. We show each property in turn. 

• (comp-red) Let t e |A] and assume that t > T u and u : U. Since [A] = Fa([AJ), we have 
u 6 {Uj by definition of F a . 

• (comp-neutral) Let t ■ A be a neutral term whose > T -reducts are all computable. Since 
[A] = F A ([A] ), we have t e [A] by definition of F A . 

• (comp-lam) Trivial for typing reasons. □ 

Lemma 6.24. Given a sort A, [A] satisfies (comp-sn) if, for all type U < A, [[/]] satisfies 
(comp-sn). 

Proof. As already mentioned, [A] = F^(0) for some ordinal a. Since 0 satisfies (comp-sn), 
it therefore suffices to check that F A preserves termination: if S £ SN(> T ), then F/\(S) c 
SN(> r ). So, let S £ SN(> r ) and let t e F/\(S). By definition of F A , we have t : A and, if 
t > T u and u : U, then u e [£/]] j where J = I u {(A, S')}. By definition of > r , A >U. If A = U, 
then {Ujj = S and u € SN(> r ) since S £ SN(> r ). Otherwise, u e SN(> T ) since [C/| £ SN(> r ) 
by assumption. □ 


Theorem 6.25. For all type T, |T]] is a computability predicates, i.e. satisfies (comp-sn) 
(comp-red), (comp-neutral) and (comp-lam). 


Proof. We proceed by induction on > which is well-founded by assumption (typ-sn) If T 
is a sort, then we can conclude by Lemma 16.231 Lemma 16.241 and induction hypothesis. 
Otherwise, T = U -> V. Since T >; U, by induction hypothesis, [[/] is a computability 


predicate. Let now V' be a type such that V > V'. By (typ-right-subterm) and transitivity, 
T > V'. Hence, by induction hypothesis, IW] is a computability predicate. Therefore, 
fU -»• V] satisfies (comp-sn) by Lemma [6.131 (comp-red) by Lemma [6.141 (comp-neutral) by 
Corollary 16. 1 71 and (comp-lam) by Corollary 16.191 □ 

Now, we are left to prove that every function symbol is computable. 

Lemma 6.26. Let :T -»■ U and i e [T], Then, f(t) e [[/]. 


Proof. By Theorem 16.251 [TJ satisfies (comp-sn). Hence, by Lemma 16.121 (>jr, (> r ) s tat)iex 
is well-founded. We now prove that, for all (f,t) € £, f (t) is computable, by induction on 

( PTi ( > r)stat)lex (1)- 

First, we check that t = f(t) is computable if all its > T -reducts so are. This follows 
from the facts that, by definition of A/", t is neutral and, by Theorem 16.251 [t/J satisfies 
(comp-neutral). 

We now prove that, for all finite sets of variables X, for all substitutions a such that 
dom(cr) n FV(?) = 0 and a is computable on X, and for all terms w such that f(f) > A 
w, we have wo computable, by induction on the size of w (2). Note that to = t since 
dom(er) n FV(?) = 0 . 
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• (3i) ti > T w. By stability by substitution of > T (Lemma [T]), we have Ua > T wa. 
Therefore, wa is computable since, by Theorem 16.251 |V] satisfies (comp-red). 

• (J~b—) There are g and u such that w = g(u), f -t g, (Vi) f(t) >‘ Y m and t (> r ) s tat(f) R- 
Since (Vi) f (t) m, by induction hypothesis (2), ua are computable. If ti > T Uj then, 
by stability by substitution (Lemma [T]), ti = Ua > T Uja. Therefore, t ( > r ) s tat(f) ^a and, by 
induction hypothesis ( 1 ), g (u)a is computable. 

• (iF&>) Since f(t) u, by induction hypothesis ( 2 ), ua are computable. Hence, g(u)a is 
computable by induction hypothesis ( 1 ). 

• Since f(t) > A u and f(t) v, by induction hypothesis ( 2 ), ua and va are com¬ 
putable. Therefore, ( uv)a = ( ua)(va ) is computable. 

• (J~bX) Wlog we can assume that a is away from {y} and y £ FV(f(t)). Hence, ( \yv)a = 
\y{ya). By Theorem 16.251 Xy(va) is computable if, for all computable u : r(y), (va)y 
is computable. Since a is away from {t/}, ( va)y = ( Vy)8 where 8 = a u {( 2 ,it)}. Let 
Z = X li {z}. Since f(f) Vy, dom(@) nFV(f(t)) = 0 and 0 is computable on Z. we have 
Vy8 computable by induction hypothesis ( 2 ). 

• (J-bX) w e X. Then, wa is computable since a is computable on X. □ 

Theorem 6.27. The relation > T of Definition \5. i\ is well-founded. 

Proof. After Theorem 16.111 Theorem 16.251 and Lemma 16.261 □ 

We can therefore conclude that >f is a monotone, stable, well-founded order. 

The well-foundedness proof of core CPO is actually similar to that of HORPO, although 
the proof here is presented in a quite different style from HORPO’s monolithic proof [59 j . 
This similarity fades away with the two coming extensions, to inductive types and to small 
symbols. The reason why we have split the proof into small pieces is indeed to factor out 
its structure and those parts which are common to core CPO and its extensions. 

7. Accessibility 

In this section, we introduce an extension of the core definition that will allow us to handle 
rewrite rules like the ones defining recursors for strictly positive inductive types as used in 
the Coq proof assistant [2'9l [53]. 

Example 7.1. Consider the inductive type 0 of “Brouwer ordinals” whose constructors are 
zero : 0 for zero, sue 1 : 0 ->■ 0 for successor, and lim 1 : (N -> 0) -> 0 for limit, where N is 
the inductive type of Peano (unary) natural numbers with constructors 0 : N and s 1 : N -> N. 
Given a type A, the recursor (of arity 4) at type A 

recQ : 0 -> A (0 -> A -+ A) ^ ((N -+ 0) ^ (N ^ A) -+ A) -+ A 

can be defined by the following rewrite rules: 

recQ (zero, u,v,w) -*■ u 
rec^su c(x),u,v,w) -> vx (rec-Q(x,u,v,w)) 
recQ(lim(?/), u, v, w) -> w y (Xnrec^y n,u,v,w)) 

To capture such a relation, we need the following two comparisons to succeed: 
reco(lim (y),u,v,w) > y and lim (y)> T yn. 
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The second comparison cannot succeed unless we allow non empty sets X of variables in 
(.Tt,—) in order to have lim(y) yn, but we have seen in Section 15.21 that this may lead to 
non-termination. Instead, we will use a specific ordering: the structural ordering introduced 
by Coquand for dealing with such kind of definitions in the calculus of constructions [28]. 

For the first comparison to succeed, since the type of y is bigger than the type of lim(?/), 
we must not check types in (Tb>), but we have seen in Section [5.21 that this may lead to 
non-termination. To solve this problem, we will compare in (•?-),>) the right-hand side with 
possibly deep subterms of the left-hand side. 

We cannot take any deep subterm however, as shown by the following example: assuming 
the signature c 1 : (A -*■ B) -> A and f 1 : A -*■ (A -> B), the deep subterm comparison 
f(c(x)) > T x leads to non-termination, since, taking t = \xf(x)x, we have f(c(f))c(f) > T 
tc(t) > T f (c(f))c(f) by monotony and (@/3). There are two cases where deep subterms can 
be used: as for the first, deep subterms whose type is a (sufficiently small) sort [59]; as 
for the second, Mendler showed that pattern-matching on constructors of a sort A having 
an argument whose type has a negative occurrence of A wrt the arrow type constructor 
(see Definition 17.21 iust after), leads to non-termination, while, on the contrary, /3-reduction 
combined with recursion combinators for positive inductive types terminates [73] [74]. 

7.1. Accessible subterms. In this sub-section, we first define the sets of positive and 
negative positions of a type, and the notions of accessible and structurally smaller term, 
before we prove some properties of these notions. 

Definition 7.2 (Positive and negative positions in a type). The sets Pos(T), Pos(A,T), 
Pos + (T) and Pos~(T) of positions, positions of A, positive positions and negative positions 
in a type T are inductively defined as follows: 

• Pos(A) = Pos + (A) = Pos(A, A) = {e} 

• Pos~(A) = 0 

• Pos(A, B) = 0 if A * B 

• Pos(T -►£/) = {Ip | p e Pos(T)} u {2 p \ p e Pos(17)} 

• Pos(A, T ->U) = {1 p | p e Pos(A, T)} u {2 p \ p € Pos(A, U)} 

• Pos + (T -»•[/) = {Ip | p e Pos~(T)} u {2 p \ p e Pos + (t/)} 

• Pos~(T -»• U) = {lp j p e Pos + (T)} u {2 p \ p e Pos _ (t/)} 

A sort A occurs only positively (resp. negatively) in T if Pos(A, T) £ Pos + (T) (resp. Pos(A,T) 
Pos“(T)). 

For instance, for T = (A -> B) -> B with A ± B, we have Pos(T) = {e, 1,2,11,12}, 
Pos + (T) = {11,2}, Pos _ (T) = {12}, Pos(A,T) = {11} and Pos(B,T) = {12,2}. Hence, A 
occurs only positively in T, but B has both positive and negative occurrences in T. 

Definition 7.3 (Accessible arguments). For every f“( f ) : T -* A, we assume given a set 
Acc(f) of accessible arguments of f such that i € Acc(f) implies Sort<A(T,) and Pos(A,Tj) £ 
Pos + (Tj). 

Note that, if a(f) < |T|, the output type of f is functional. 

Let us consider Example 17.11 and assume that 0 > N. Then, 0 occurs only positively 
in the type of the first argument of sue, and we can take Acc(suc) = {1}. Similarly, we can 
take Acc(lim) = {1}. 

We can now introduce those sorts A which are not bigger than any arrow type and will 
be interpreted by SNa(> t ) later: 
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Definition 7.4 (Basic sorts). A sort A is basic if, for all type T < A, T is a basic sort and, 
for all : T ->• A and i e Acc(f), Tj = A or Tj is a basic sort. 

In particular, are basic all first-order data types like unary natural numbers, lists, trees, 
etc. whose constructors do not take a function as argument. 

Accessibility blends accessible arguments and subterms of basic sort: 

Definition 7.5 (Accessibility). A term u is said to be accessible in a term t if: 

• u is a subterm of basic sort of t such that FV(u) c FV(t), written t u, or 

• there are : T -*■ A, t : T and i e Acc(f) such that t = f(ti ,..., t a (f))^a(f)+i ■ ■ ■ t\f\ an( i 
ti u, written t > a u, 

where >£ and !> a are the reflexive closures of and > a respectively. 

Coming back to Example 17.11 we have x accessible in suc(x) since suc(x) > a x, and y 
accessible in lim(y) since lim(y) > a U- 

Lemma 7.6. Ift > a u:U, then there are two sorts A and B such that t : A, B < A, Sort<B(C) 
and Pos(B,t/) c p os + ([7). 

Proof. By induction on t> a , which is clearly well-founded. Assume that there are f Q ( f ) : T -»• A, 
t ■ T and i e Acc(f) such that t = f(fi,... ,t Q (f))t Q (f)+i • ■ • and ti > a u. By definition of 
Acc, Sort<A(7)) and Pos(A,T ? ;) c Pos + (Tj). If ti = u then U = Ti and we are done with B = A. 
Assume now that ti > a u. Then, by induction hypothesis, there are two sorts B and C such 
that ti ■ B. C < B, Sort<c(t/) and Pos(C,17) £ Pos + (U). Since Sort<A (Ti) and Tj = B, we 
have B < A. By transitivity, we get C < A. □ 

Corollary 7.7. If t : A, t > a u : U and A occurs in U, then Sort<A (U) and Pos(A ,U) £ 
Pos + (U). 

Proof. By Lemma 17.61 there is a sort B < A such that Sort<B(C) and Pos(B,U) £ Pos + {U). 
Since A occurs in U, A < B. Therefore, B = A and we are done. □ 

Definition 7.8 (|28|). Given a finite set X of variables, we say that u is structurally smaller 
than t wrt X, written t u, if there are A, v and x : U such that t ■ A, u ■ A, u = vx, t > a v, 
x € X and Pos(A, U) = 0. 

One can easily check: 

Lemma 7.9. and > a (resp. are stable by substitution (resp. away from X). 

7.2. CPO with accessible subterms. 

Definition 7.10 (CPO with accessible subterms). The relation is extended by replacing 
the rules (J r fe>) and (IFb—) of Figure Q] by the ones of Figure [2j 


Figure 2: New CPO rules with accessible subterms 
{Fb>) f (?) > x v if f e Tb and t >^> a >: r v 

(Xb-) f(?) > A g (u) if f e X hl f g, f(?) > A u and t (> T u >f> T ) sta t(f) u 


The rules of Example 17.11 are now easily oriented by CPO. Take for instance the third 
rule. It is included in CPO since, by (Xb@). 
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• l = reCo(lim(j/), u, v, w) > wx by (J r b@)since: 

- l>w by (JF b >), 

~ l>y by {T b >) since lim(y) > a y, 

• l > XnrecQ(yn,u,v,w ) by (JT fe A) since l >^ r ec^y n,u,v,w) because, by 

- I yn since by 

* l > y as already seen, 

* l > n by (FbX), 

- I > u,v,w by 

- |im (y) »@ } 

Following [12], we could strengthen CPO further by defining and > x simultaneously, by 
replacing in (Xi,—), by and, in the definition of >@, x e X by f (t) > x x. 

7.3. Comparison with CHORPO. CHORPO is a variant of HORPO which was also 
aiming at ordering recursors of inductive types like Brouwer’s ordinals. In rules (1), (3), (4) 
and (7) of the 12 rules of HORPO as recalled in Section I57H one has to show recursively that 
every direct subterm of the left-hand side f(f) is bigger than (or equal to) the right-hand 
side. In CHORPO, one can also use in addition to the direct subterms, any term of the 
computability closure CC(f(f),0) of the left-hand side, a set inductively defined by 6 rules 
(CC1) to (CC6) that, for most of them, correspond to CPO rules as follows. 

CC(f(f),X) must contain {f}, which corresponds to (JF b i>), and X, which corresponds 
to (J~bX)-, (CC1) says that CC(f(t), 0) contains any term u of minimal type such that t > s u, 
where t > s u if t > u and FV(u) £ FV(t), which corresponds to (J r b>), (@>) and (A>); (CC2) 
corresponds to (J r b>); (CC3) corresponds to {Tb—) with > T replaced by > T u (CC4) 

corresponds to (Xb@) and (CC5) to (J-f,A). 

On the other hand, (CC6) says that CC(f(f),0) is closed by >horpo- Capturing such 
a rule in CPO requires to consider the transitive closure of > T in {Tb—) which would most 
presumably turn CPO into an undecidable relation, as it is probably already the case of 
CHORPO for the same reason. 

In conclusion, while CHORPO and CPO look incomparable, the restriction of CHORPO 
to (CC1), (CC2), (CC3), (CC4), (CC5) is included in CPO. In fact, CPO can be seen as 
a decidable reformulation of CHORPO integrating in a simple, uniform and more powerful 
way both HORPO and the notion of computability closure. Note finally that HORPO and 
the computability closure are themselves already related, as shown in na. More precisely, 
the first version of HORPO [58] is included in the fixpoint of the monotone function mapping 
> to the relation >^ c such that t > x c u if u e CC(t,X), RPO being equal to this fixpoint 
when restricted to first-order terms. 

7.4. Computability with accessible subterms. 

Lemma 7.11 (Basic properties). 

• is well-defined. 

• > T is monotone. 

• If a > x b, then FV(fe) c FV(a) u X. 

• is stable by a-equivalence. 

• is stable by substitution away from X. 

• If e, e! e X, -r(e) = r(e'), t > x u and el £ FV(Aeu), then t > x ~^ u ^- e } u e e . 
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Proof. As for the core definition using Lemma [7.91 and the fact that, if a > a b, then FV(6) £ 
FV(a). □ 

In order to extend the well-founded proof of core CPO to accessible subterms, we need 
to define a set of neutral terms and a base type interpretation so that accessible arguments 
of a computable term f(f) are computable. Hence, the following definitions: 

Definition 7.12 (Neutral terms for CPO with accessible subterms). Let A/" be the smallest 
set of terms containing the terms of the form f(f) with Acc(f) = 0, and closed by (neutral- 
var), (neutral-beta) and (neutral-app). 

One can easily check that AT satisfies all the properties of Definition 16.101 Note that, 
now, a term is neutral if and only if it is of the form xv, ( \xa)bv , or f(f) v with Acc(f) = 0. 

To define the base type interpretation I, we proceed as for core CPO by well-founded 
induction on >. So, let A be a sort and assume that / is defined for all sorts B < A. Then, 
let /(A) be the least fixpoint of the monotone function F/\ defined as follows: 

Fa(S) = {te£\t: A a (Vu)(Vt/) t> T u/\u:U ^iie [E/J /u{(A) s )} 

a (Vf)(Vf)(Vf)(Vi) P (f) :T-y A a t = f(ti,... ,i a (f))i a (f)+i ■ ■ ■ t\f\ A i € Acc (0 

=* U € Pil/uKA.S)}} 

Note that, by this definition, a term f(ti,... ,£ Q (f))^a(f)+i • ■ • t n : A is computable if all 
its > T -reducts and all its accessible arguments L with i € Acc(f) are computable. This makes 
the terms of this form behave like neutral terms when t are computable. 

We now prove that Fa is indeed well-defined and monotone. 

Lemma 7.13. Fa is well-defined. 

Proof. The calls to [I7 ]/ u {(a,s)} and [Tjj/u{(A.S)} with i e Acc(f) are well-defined because 
every sort occurring in U or T) is < to A. Indeed, by definition of > T , we have A >U. Hence, 
by Lemma [2.51 Sort< A (P)- As for T), it follows by definition of Acc(f). □ 

Lemma 7.14. Let T be a type such that Sort< A (T). Then, the function S i-* [T]/u{(A,S)} 
monotone (resp. anti-monotone) wrt set inclusion i/Pos(A,T) £ Pos + (T) (resp. Pos(A ,T) £ 

pos - (t);. 

Proof. Let S £ S', J = I u {(A, S)} and J' = I u {(A, S')}. We proceed by induction on T. 
•T = A. Then, [TJ j = S c 5' = [T] j, 

• T = B < A. Then, {Tjj = /(B) = {Tjj,. 

• T = U -* V and Pos(A,T) £ Pos + (T). Let t e [[Tjj. By definition of |TJ, t e [Tjjf if, for all 

u e [Z7] j/, tu e [V] j>. By definition, Pos(A, T ) = {1 p \ p e Pos(A, U)}u{2p \ p e Pos(A, V)} 
and Pos + (T) = {Ip \ p e Pos”(t/)} u {2 p \ p e Pos + (H)}. Hence, Pos(A, U) £ Pos _ (17) and 
Pos(A, V) £ Pos + (H). Therefore, by induction hypothesis, [[/]] j> £ [[/] j and |[H] j £ |V] j,. 
So, u e [Cjj and, since t e [[Tjj, we have tu e [H]j £ j/. 

• T = U -> V and Pos(A,T) £ Pos _ (T). Let t € JTJj/. By definition of [T], t e |T]]j if, for all 

u e [C/J j, tu e [HJ j. By definition, Pos(A, T ) = {Ip \ p e Pos(A, U)} u {2 p \ p e Pos(A, V)} 
and Pos”(T) = {1 p \ p e Pos + (C/)} u {2 p \ p e Pos“(H)}. Hence, Pos(A, U) £ Pos + (f7) and 
Pos(A, V) £ Pos“(H). Therefore, by induction hypothesis, [C/J j £ [[/] and JH] £ JH] j. 
So, u e [C/] j’ and, since t e [TJ ji, we have tu e [V] j' £ [VJ j. □ 
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Lemma 7.15. LX is monotone. 

Proof. Let S <= S', J = I u {(A, S')}, J' - I u {(A, S')} and t e LX(S). Then, (1) t ■ A. 
(2) (Vit)(Vt/) t > T u a u : U => u e [C/]j, and (3) (Vf)(VT )(Vf)(Vi) f“ (f) : f A A t = 
f(ti ,..., i Q (f) )^cs(f)+i • • • a i e Acc(f) => U e [Tj]j. We have i e LX (S'') because t satisfies 

(1), (2) and (3) with S replaced by S': 

(1) t : A by (1). 

(2) Assume that t > r u and u : U. By (2), u e [f/Jj. By definition of > T , A >U. If A = U, 

then u e [C/Jj' since u e [C/Jj = S' £ S' = Otherwise, by Lemma [231 Sort<A(H). 

Therefore, by Lemma [?I~8l |[/]]j = [ U}j> and u e 

(3) Assume that f Q ( f ) : T -*■ A, t = f(fi,... ,t a (f))t a (f) + i • • • and i e Acc(f). By definition 
of Acc, Sort<A(Tj), Pos(A,T)) £ Pos + (L)) and, by Lemma 17.141 [TjJj £ [T)]jo Therefore, 

J'since tj e [TJj by (3). □ 


7.5. Well-foundedness of the structural term ordering. 

Lemma 7.16. The function a Ff(0) is monotone. 

Proof. Let J a = F^(0). We prove by induction on b that, for all a < b, J a £ J b . 

• b = c + 1. Then, J b = LX( J c )- If a = c, then J“ c J b by definition of LX- Otherwise, a < c 
and, by induction hypothesis, J a £ J c . By Lemma 17.151 J a+1 c J c+1 . Since J a <= J n+1 by 
definition of LX, we have J a £ J b . 

• b is a limit ordinal. Then, J a <= J b by definition of J b . □ 

The functions F ^ provide us with a well-founded relation that is the basis of the well- 
foundedness of the structural term ordering when it is instantiated by computable terms: 

Definition 7.17 (Rank ordering). Let the rank of a term t e [A], rkA(t), be the smallest 
ordinal a such that t € F£(0). Then, let t 3 u if there is a sort A such that t € [A], u e [A] 
and rkA(t) > rkA(u). 

We now prove that > T is included in =i and that their union is strongly normalizing on 
computable terms. 

Lemma 7.18. If t e [A], u e [A] and t > T u, then t^u. 

Proof. By definition, we have t e L^(0) where a = rkA(i). We can neither have a = 0 nor 
a be a limit ordinal. So, there is b such that a = b + 1. Hence, L^(0) = LX(L^(0)) and 
u e L^(0) by definition of LX- Therefore, t 3 u. □ 

Lemma 7.19. [TJ £ SN(> T u □) if, for all T' < T, |T'J satisfies (comp-sn). 

Proof. Assume that there is an infinite (> T u ^-decreasing sequence (tj)j>o such that to e [TJ 
and ti : Tj. Then, (T))j>o is an infinite >-decreasing sequence. Since > is well-founded by 

17.181 ( fi)i>j is an infinite ^-decreasing sequence, which is not possible since 3 is well-founded. 
If Tj is not a sort, then is an infinite > T -decreasing sequence since 3 only compares 

terms of base type. But this is not possible since T > Tj and, by assumption, [Tj] satisfies 
(comp-sn). □ 


(typ-sn) there must be some j such that, for all i > j, Ti = Tj. If Tj is a sort then, by Lemma 
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We now show that > a preserves computability, and that the structural term ordering 
is stable by computable substitutions of domain X. 

Lemma 7.20. If t is computable and t > a u, then u is computable. 


Proof. By induction on the definition of !> a . If t = u, this is immediate. Otherwise, there are 
f“( f ) : T -> A, t: T and i e Acc(f) such that t = f(fi,... ,t Q (f))t Q (f)+i ■ • ■ t^ and t % > a u. Since 
t is computable, by definition of [A], t t is computable. Therefore, by induction hypothesis, 
u is computable. □ 


Lemma 7.21. //f : A is computable, tt> a u-U and A occurs in U, then there is b such that 
rkA (t) = b + 1 and u e [UJ j, where J( A) = F^{0) and J(B) = /(B) if B ± A. 


Proof. First note that, by Corollary 17.71 Sort<A(t/) and Pos(A,I7) c Pos + (C/). We now 
proceed by induction on the dehnition of > a . Assume that there are f Q ( f ) :T -> A, t : T and 
i e Acc(f) such that t = f(ti,..., L*(f))Li(f)+i • • -t\f\ and ti > a u. By dehnition, rkA(t) can 
be neither 0 nor a limit ordinal. Therefore, there must be b such that rkA(f) = b + 1 and 
ti € [TjJj. If ti = u, then we are done. Assume now that ti > a u. Then, there is B such 
that ti : B. By dehnition of Acc, B < A. By Corollary 17.71 Sort<B- Since A occurs in U, 
we have A < B and thus B = A because > is well-founded by 
hypothesis, there is c such that rkA(tj) = c + 1 and u e [17] j 
A'(B) = /(A) if B t A. Therefore, u e [t/Jj by Lemma I7J 
Pos(A, U) £ Pos + (C/). 


(typ-sn) Hence, by induction 
K, where K( A) = Ff(0) and 
4] since c < b, Sort<A(I/) and 

□ 


Lemma 7.22. Ift t>^ 

andta □ ua. 


u, a is computable on X and ta is computable, then ua is computable 


Proof. Since t >() u, there are A, v and x ■ W such that t ■ A, u ■ A, u = vx, t > a v, x e X and 
Pos(A,W) = 0. Therefore, ua = (va)(xa) and, since > a is stable by substitution, ta o a va. 
By Lemma l7.211 there is b such that rkA(tcr) = b + 1 and va e \W ->■ A\j, where J(A) = F^(0) 
and J(B) = /(A) if B t A. Since a is computable on X, we have xa computable. Since 
Pos(A,IT) = 0, by Lemma 16.81 we have xa e [W”]j. Therefore, ua e [Ajj and ta 3 ua. □ 


7.6. Well-foundedness of CPO with accessible subterms. We now check that type 
interpretations are computability predicates, and that function symbols are computable. 

One can easily check that all the lemmas of Section 16.31 are still valid, as well as the 
lemmas 16.231 and 16.241 (since they do not depend on (Fb_) rules). Therefore, following the 
proof of Theorem 16.251 we get: 

Theorem 7.23. For all type T, [T] is a computability predicate, i.e. satisfies (comp-sn), 
(comp-red), (comp-neutral) and (comp-lam). 

Lemma 7.24. If A is a basic sort, then [A] = SNa(> t ). 

Proof. By Lemma 16.241 it suffices to prove that, for all t € SNa(> t ), we have t e [A]. By 


on SN(> r ). We can therefore proceed by induction on (A ,t.) with (>,> T u>) as well-founded 
relation. 

We first prove that every > T -reduct u of t is computable. Since t e SNa(> t ), we have 
u e SNfy(> r ). By definition of > T , A > U. Therefore, U is a basic sort and, by induction 
hypothesis, u e ft/] since A > U or else A = U and t > T u. 


p-sn) > is well-founded. By Lemma [7.Ill > T is monotone and thus 
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Hence, if t is neutral, then t e [AJ since [A] satisfies (comp-neutral). Otherwise, t = 
f(ii,... ,i a (f))^ a (f)+ 1 • • • ^|f| with f“( f ) : T -> A and Acc(f) # 0. Let i e Acc(f). Then, 
Sort<A(T)). Since A is basic, Tj = A or Tj is a basic sort. In both cases, Tj < A and 7) is a 
basic sort. Therefore, e [Tj]] since tj € SNT' i (> r ) and A > Tj or else A = Tj and t > tj. 

Lemma 7.25. Let : T -> t7 antt t e [TJ. Then, f(t) zs computable. 

Proof. There are U and A such that U = U -> A. By definition, f(t) is computable if, for 
every u e [[/], f(t)u is computable. By Theorem 17.231 [TJ and [t/J satisfy (comp-sn) and, 
by Lemma 17.191 [TJ c SN(> r u =i). Therefore, by Lemma fti .121 (>jr, (> T u =i) stat ) lex is well- 
founded. We can therefore prove that, for all ((f,t),u) such that f(t)u is of base type, f(t)rt 
is computable, by induction on ((> T , (> T u =>) sta t)iex, (> r )iex)lex (0). 

Since f (t)u is of base type and all its accessible arguments are computable by assumption, 
it suffices to prove that all its > T -reducts are computable. To this end, we prove that, for 
all k < n = \u\, every > T -reduct of f(f)tti... Uk is computable, by induction on k (1). 

• k = 0. The proof is the same as for Lemma [6.261 except for the new cases: 

— (Tft>) There are i, u : U and v ■ V such that tj u > a v > T w. By stability by 
substitution of >|, !> a and > T fLemma l7.9l and l7.llD . we have tj = tjcr >]] ua E> a va > T wa. 
Since t are computable and [TJ satisfies (comp-sn), we have t e SN(> r ). Since > T 
is monotone (Lemma 17.IIP , we have ua e SN(> T ). Hence, by Lemma 17.241 ua is 
computable and, by Lemma [7.201 va is computable. Therefore, wa is computable since, 
by Theorem 17.231 [VJ satisfies (comp-red). 

— (Tb—) There are g and u such that w = g (u), f -jf g, t (> T u >@ ^ r ) s tat(f) ^ an( i f (?) u. 

Since f(t) u, by induction hypothesis (2), ua are computable. If tj > T uj then, by 

stability by substitution (Lemma 17.IIP , tj = tjU > T Uja. If tj v > T Uj then, by 
Lemma [7.221 tjcr =i va and, by stability by substitution again, va > T uja. Therefore, by 
Lemma [7.181 and transitivity, tjU =i Uja. Thus, in both cases, t (> T u =i) s t a t(f) and, by 
induction hypothesis (0), g (u)a is computable. 

• k > 0. Then, f(t)zi = tu f. where t = f(t)rti... Ufc-i- By induction hypothesis (1), every 
> T -reduct of t is computable. Now, if u^ > T u' k , then tu' k is computable by induction 
hypothesis (0). Therefore, by Lemma 16.151 every > r -reduct of tu k is computable. Q 

Theorem 7.26. The relation > T of Definition 1 7. 10 1 is well-founded. 

Proof. After Theorem 16.111 Theorem 17.231 and Lemma 17.251 □ 

7.7. Using semantic comparisons. The extension of CPO described here is still not able 
to orient the terminating rules defining the recursor of the type C in Example 15.21 

Example 7.27. Given an arbitrary type A, the recursor (of arity 3) at type A of the type 
C of continuations of Example 15.21 has type rec'^ : C -> A -»• (-.->C -*■ ->->A -*■ A) -*■ A. Its 
rewrite rules are the following: 

rec^(d,u,u) -*■ u 

rec^(c (x),u,v) -»■ v x (\y^ A x (\z c y rec^(z, u, v))) 

The problem is that we do not have c(x) Indeed, C is non-strictly positive and 

the structural term ordering can only handle strictly positive types. 
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To handle such rules, we know two solutions. The first one is to define the interpretation 
of C so that rec(| is computable by definition mmm, which is possible since positivity 
conditions are satisfied. However, this solution lacks flexibility for the user who is forced to 
define all other functions on C via the recursor. 

The second, flexible solution consists in considering types with size annotations (to be 
interpreted by ordinals) and, in (J-),—). compare terms by their size annotations, an approach 
initiated independently in [I'll H3 j and later developed in various works, e.g. [TJ El SI fl9j . 
Indeed, assuming that c(x ) has type C Q+1 , then x has type i-iC“ and, thus, the bound 
variable z gets the type C° which size annotation is smaller than the one of c(x). 

Including semantics in RPO was pioneered by Kamin and Levy |60j . and extended to 
HORPO in [22] . In both cases, semantics was added by replacing the precedence by a 
semantic order on terms. The use of size annotations is a different way to include semantics 
in these orders. These two different ways of including semantics in recursive path orders 
are however related: both can be seen as an instance of the more general semantic labeling 
schema [93lHHI|20] . 


8. Small symbols 

In this section, we consider a further extension of CPO that originated from some draft 
version of [55] and try to answer the following general question: can we relax the constraints 
on the precedence? More precisely, to which extent can a function symbol be smaller than 
an application or an abstraction? We are going to show that this is indeed possible if the 
rules governing these small symbols are more restrictive than the ones for big symbols. 

We first define the extension of CPO to small symbols, and then show the computabil¬ 
ity properties including a specific one for small symbols. Unlike before, this will reveal a 
circularity among the dependencies between the different computability properties, hence 
strong normalization does not follow. Breaking this circularity will require assumptions on 
the types of small symbols that are then investigated for practical purposes. It will appear 
that, for instance, any constructor of a strictly-positive inductive type can be considered a 
small symbol. 

8.1. CPO with small symbols. 

Definition 8.1 (CPO with small symbols). We assume that the set of function symbols is 
partitioned into a set of big symbols and a set J~ s of small symbols so that: 

• no small symbol is greater or equivalent to a big symbol (small-lt-big) 

• small symbols with arrow output type have no accessible argument (small-acc) 

We then extend > x by adding the rules of Figure [3] 

We will add conditions on the types of small symbols after Definition 18.91 (see Figure 0. 
Because of the rules (@^” 5 ) and (.F,@), one may think that the relation is not terminating 
anymore, but this is not the case for typing reasons. Indeed, in contrast with rules for big 
symbols, rules for small symbols require type checking the recursive calls systematically. 

For instance, assume that f : o -*■ o and g 2 : o -*■ o -*■ o. Then, although we have 
fa > T g(a,a) by (©J- s ) since fa > T a by (@>), we do not hopefully have g(a,a) > T fa by 
(.F s @) because we do not have g(a,a) > T f for typing reasons. 

On the other hand, there is no rule (J- s A) such that f(t) A yv if f(?) v and 

y £ FV(u) because, together with the rule (A £F S ), it would lead to non-termination as shown 
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Figure 3: Additional CPO rules for small symbols 



by the following example: given small symbols a : o -> o b : o, Axb > T a by (A J- s ), and 
a > T Axb by {fF s A) since a > T b by (X s >). It is however possible to have (JF S A) if one 
removes (A T s ). We choose to present the case of (J~ S X) because it seems more useful, but 
the termination proof can be easily adapted if (iF s X) is replaced by (XJ- S ). Note however 
that this does not lead to the same definition for the sets SPos, LPos, ... (Definition 18.9p 
studied in Section 18.41 

Two potential improvements are left. First, take a rule (J r s >) similar to the rule 
of Figure [2j Second, get rid of the assumption (small-ace) if possible. 


8.2. Computability properties. 

Lemma 8.2 (Basic properties). 

• is well-defined. 

• > T is monotone. 

• If a > x b, then FV(6) c FV(a) u X. 

• is stable by a-equivalence. 

• is stable by substitution away from X. 

• Ife,e'eX, r(e) - T(e'), t > x u and e! FV(Aen), then t , 

Keeping the same definitions for neutral terms and the base type interpretation as in 
Section [Gj it is easy to check that Lemma [6. 131 and Lemma [6. 141 still hold. However, because 
of the new rules (@F S ) and (A J- s ), Corollary 16.171 and Corollary 16.191 hence Lemma 16.161 
and Lemma 16.181 reveal new dependencies that require introducing the following new com¬ 
putability property for a set S of terms of type T: 


(comp-small) f(t) e S if f(t) : T, f e T s and t are computable. 


Note that big symbols do not need any computability property because they are bigger 
than everybody else, and therefore other computability properties do not depend upon the 
computability of big symbols. It follows that they cannot be implied in any circularity. 

Lemma 8.3. Let t:U-*V and u : U. Then, every > T -reduct of tu is computable if: 

• every > T -reduct oft is computable; 

• u is computable; 

• if t = Xxv, then vf is computable; 

• for all u' such that u > T v!, tu' is computable; 

• [17] satisfies (comp-red); 
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• [V] satisfies (comp-red); 

• [17 7 ] satisfies (comp-lam) and (comp-small) whenever V' < V. 

Proof. The proof is the same as for Lemma 16.151 except for the new case: 

• w = f('5), f € J- s and (Vi) tu > T v l . By induction hypothesis, v are computable. 

Since [VL] satisfies (comp-small) by assumption, w is computable. Q 

Lemma 8.4. Let t : U -*V and u : U. Then, tu is computable if: 

• u is computable; 

• every > T -reduct oft is computable; 

• if t = Xxv, then vf is computable; 

• either t is neutral or t = Xxv; 

• [17] satisfies (comp-red) and (comp-sn); 

• [V] satisfies (comp-red) and (comp-neutral); 

• [V 7 ] satisfies (comp-lam) and (comp-small) whenever V' < V. 

Proof. As for Lemma 16.161 but using Lemma [8731 instead. □ 

Corollary 8.5. [17 -»• 17] satisfies (comp-neutral) if: 

• [17] satisfies (comp-sn) and (comp-red); 

• [V] satisfies (comp-red) and (comp-neutral) ; 

• [17 7 ] satisfies (comp-lam) and (comp-small) whenever V' <V. 

Proof. As for Corollary 16.171 but using Lemma [8T4l instead. □ 

Lemma 8.6. Let x : U and v : V. Then, Xxv is computable if: 

• for all computable u-U, vf is computable; 

• [17] satisfies (comp-sn) and (comp-red) and contains a variable, which is the case if it 
satisfies (comp-neutral) too; 

• [17] satisfies (comp-sn), (comp-red) and (comp-neutral); 

• [17 7 ] satisfies (comp-lam) whenever V' < V; 

• [VL] satisfies (comp-small) whenever W <U -»■ 17. 

Proof. The proof is the same as for Lemma 16.181 except for the new case: 

• (XT's) w = f(€;), f e JF, and (Vi) Xxv > T Vi. By induction hypothesis, v are computable. 

Thus, w is computable since, by assumption, [IT] satisfies (comp-small). □ 

Corollary 8.7. [17 -»• 17] satisfies (comp-lam) if: 

• [17] satisfies (comp-sn), (comp-red) and (comp-neutral); 

• [17] satisfies (comp-sn), (comp-red) and (comp-neutral); 

• [ 1 /7 ] satisfies (comp-lam) whenever V' < V; 

• [!L] satisfies (comp-small) whenever W <U -> 17. 

We are left with the new computability property for small symbols: 

Lemma 8 .8. [17] satisfies (comp-small) if: 

• [17] satisfies (comp-neutral) ; 

• [17 7 ] satisfies (comp-small) whenever U' < U; 

• for every small fl T l :T -»• 17, [f] satisfies (comp-sn) and (comp-red). 
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Proof. Assume that : T -*■ U is small. By assumption, |TJ satisfies (comp-sn) and, 
by Lemma 17.191 [TJ £ SN(> r u □). Therefore, by Lemma T6.121 (>_^,(> r u =i) s tat)lex is well- 
founded when restricted to small symbols. We can therefore prove that, for all (f ,t) 6 S 
with f e J- s , f (t) is computable, by induction on (>^, (> T u =>) s tat)iex (!)• 

We first prove that f(i) is computable if all its > T -reducts so are. If U is a sort, then 
the result holds since t are computable. Otherwise, by (small-acc) Acc(f) = 0 and f(t) is 
neutral. Therefore, the result holds since [£/] satisfies (comp-neutral) by assumption. 

We now prove that every > T -reduct w : W of f(f) is computable by induction on w (2). 
By definition of > T , we have U > W. 

• (J - s >) (3i) ti > T w. By assumption, [T] satisfies (comp-red). Thus, w is computable. 

• (JF S —) There are g : U -*■ W and u : U such that w = g(u), (Vi) f (t) > T Ui, f g and 
?(>rU>g> T ) stat(f) ti- By | (small- lt-big)| g is small. Since f(t) > T u, by induction hypothesis 
(2), u are computable. We distinguish two cases: 

— U > W. Then, g(u) is computable since [W] satisfies (comp-small). 

— U = W. If ti og v > T Uj then, by Lemma 17.221 ti -' v and, by Lemma 17.181 v 3 Uj. 
Therefore, by transitivity, L =i Uj. Hence, t (> T u =i) s tat(f) ^ and, by induction hypothesis 
(1), g(u) is computable. 

• {T a >) There are g:U -*W and u : U such that w = g(u), (Vi) f (t) > T Ui and f > j: g. By 
(small-lt-big) g is small. Since f(f) > T u, by induction hypothesis (2), u are computable. 


We distinguish two cases: 

— U > W. Then, g(u) is computable since [W] satisfies (comp-small). 

— U = W. Then, g(it) is computable by induction hypothesis (1). 

There are u and v such that w = uv and f (t) > T uv. By induction hypothesis (2), u 
and v are computable. Therefore, uv is computable. 

(J- S X) Not possible. □ 


8.3. Well-foundedness of CPO with small symbols. In contrast with the previous 
cases, we cannot conclude from the above lemmas that, for every type T, [TJ is a com¬ 
putability predicate, because of circularities. 

Indeed, for [A] to satisfy (comp-small), we need, for every small symbol f : T -»• A, [TJ 
to satisfy (comp-sn); but for [[T] to satisfy (comp-sn) when T = U -> V, we need [t/J to 
satisfy (comp-neutral); but for [t/J to satisfy (comp-neutral) when U - W -> A, we need 
[A] to satisfy (comp-small). To break this circularity, we will make these dependencies 
more precise by introducing sets of positions in types that reflect how these computability 
properties depend from each other. The idea here is that if there is no problematic occurrence 
of A in T, then [T] satisfies (comp-sn), and similarly for the other properties. 

Instead of sets of positions, we could have simply considered boolean functions returning 
true if T contains a problematic occurrence of A. Considering positions allows us to pinpoint 
precisely which occurrences are problematic, and therefore to obtain sharper conditions on 
T s ensuring the absence of cycle in the dependency graph of the computability properties. 
Of course, one may think that there are different ways to carry out these proofs, resulting 
in different dependency graphs. We believe that these relationship are intrinsic to the 
computability properties, although we have not been able to substantiate this claim so far. 
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Definition 8.9 (Computability-property positions). For each computability property (S 
standing for (comp-sn), R for (comp-red), N for (comp-neutral), L for (comp-lam) and C 
for (comp-small)), we inductively define a set of positions in a type T wrt a sort A as follows: 

• CPosa(A) = {e} and CPosa(B) = 0 if B ± A 

• SPosa(B) = RPosa(B) = NPosa(B) = LPosa(B) = 0 whatever A and B are 

• CPos a (17 -* V) = NPos A (U V) 

• SPos A (f7 -+V) = RPosa (17 -*■ V) = {Ip | p e NPosa (U)} u{2p\pe SPos A (P)} 

• NPos a (?7 -^V) = {lp\p€ SPos A (U) u RPos A (U)} 
u{2p\pe RPosa (F) u NPos A (R) u LPos A (R) u CPos A (R)} 

• LPosa(17 -*• V) = CPos A (U -> V) 
u{lp|pe SPosa(^) uRPos a (C/) uNPos a (17)} 

u {2p j p e SPosa(P) u RPos a (P) u NPos a (R) u LPos a (P) u CPos a (R)} 

Note that RPosa(T) = SPosa(T) £ LPosa(T) and NPosa(T) £ CPosa(T). Straightforward 
simplifications then yield: 

• NPosa (C -* V) = {Ip | p e SPos A (C/)} u {2p | p e LPos A (P) u CPos h {V)} 

• LPosa (C/ V) 

= CPos A (17 -»• R) u {Ip | p e SPosa(R) u NPos a (R)} u {2p \ p e LPos A (R) u CPos A (R)} 

We can now express in Figure [4] conditions on the types of the small symbols ensuring, as 
we shall show next, the absence of cycles in the dependency graph. 


Figure 4: Conditions on types of small symbols 

: T -*■ A, (Vi) Sort<A(?i) A SPosa(L)) = 0 (small-sort) 

Vfl^l : T -> U -> A with |L/| > 0, Acc(f) = 0 a (Vi) Sort<A(L)) a Ti <U -> A (small -arrow) 


Consider the (small-sort) case and assume that Ti < A. Then, either T) = A and 
SPosa(L)) = 0 by definition, or T) < A and SPosa(L)) = 0 by Lemma 18.111 The condi¬ 
tion for base types is therefore (strictly) weaker than the one for arrow types. This weaker 
form will indeed be important later for deciding if a function symbol of base output type 
can be declared small. 

Lemma 8.10. If Sort < /\(T), then SPosa(T) = NPosa(T) = LPosa(T) = CPosa(T) = 0. 
Proof. By induction on T. 

• T = B. Then, SPosa(T) = NPosa(T) = LPosa(T) = 0 by definition. Since Sort < A(F), we 
have B + A and thus CPosa(T) = 0 too. 

• T = U -> V. Since Sort<A(C/) and Sort<A(R), SPosa(£4) = NPosa (U) = LPosa (U) = 

CPosA(L r ) = 0 and SPosa(R) = NPosa(R) = LPosa (V) = CPosa(R) = 0 by induction 
hypothesis. Thus, SPosa(T) = NPosa(T) = LPosa(T) = CPosa(T) = 0- □ 

Lemma 8.11. If T > T' and Sort<A(T) then: 

• SPosa (T') = 0 whenever SPosa(T) = 0, 

• NPosa (T') = 0 whenever NPosa (T) = 0, 

• LPosa(T / ) = 0 whenever LPosa(T) = 0, 

• CPosa (T') = 0 whenever CPosa(T) = 0. 

Proof. We proceed by induction on T. Note that Sort<A(T / ) by Lemma [2.61 
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T = B. Since Sort< A (T), we have B < A. By transitivity, T' < A. Hence, 
Sort <A (T'). Therefore, SPos A (T') = NPos A (T') = LPos A (T') = CPos A (T') 

EH 

T = U -> V . Then, Sort < A (U) and Sort< A (P). 


by Lemma 12.51 
= 0 by Lemma 


SPos a (T) = 0. Then, NPos A {U) = 0 and SPos A (P) = 0. By (typ-arrow), there are two 


cases: 


* V > T'. Then, SPos A (T') = 0 by induction hypothesis. 

* T' = U -*■ V' and V > V'. By induction hypothesis, SPos A (P / ) = 
SPos a (T / ) = 0. 

CPos a (T) = NPos a (T) - 0. Then, SPos A {U) = 0 and SPos A (H) 


LPos a (P) = CPos A (P) = 0. By (typ-arrow), there are two cases: 


* V > T'. Then, CPos A (T / ) = NPos A (T') = 0 by induction hypothesis. 

* V = U -*■ V' and V > V', hence SPos A (H') = NPos A (H') = LPos A (P') 
0 by induction hypothesis. CPos A (T') = NPos A (T') = 0 follows. 

LPos a (T) = 0. Then, SPos A (U) = NPos A (C/) = 0 and SPos A (H) 


0. Therefore, 
= NPos a (H) = 

= CPos a (H') - 
= NPos a (P) = 


LPos a (P) = CPos A (P) = 0. By (typ-arrow), there are two cases: 


V > T'. Then, LPos A (T') = 0 by induction hypothesis. 

T' = U -»■ V' and V > V'. By induction hypothesis, SPos A (P) = NPos A (H) = 
LPos a (P) = CPos A (P) = 0. Therefore, LPos A (T') = 0. 


Lemma 8.12. Assume that the condition (small-arrow) of Figure^ holds. Let A be a sort 
such that, for all sort B < A, [B] satisfies (comp-small), and let T be a type such that 
Sort< a (T). Then: 

• |T]] satisfies (comp-sn) and (comp-red) i/SPos A (T) = 0, 

• [[TJ satisfies (comp-neutral) i/NPos A (T) = 0, 

• IT} satisfies (comp-lam) i/LPos A (T) = 0, 

• {T} satisfies (comp-small) i/CPos A (T) - 0. 


Proof. We proceed by induction on > which is well-founded by (typ-sn) 

• T = B. Since Sort< A (T), we have B < A. 

— SPos a (T) = 0. IT} satisfies (comp-red) by Lemma f6.231 By Lemma f6.241 fT} satisfies 
(comp-sn) if, for all U <T, [t/J satisfies (comp-sn). So, let U <T. By transitivity, U < A. 
Hence, by Lemma 12.51 Sort <A (U) and, by Lemma 18.101 SPos A (t/) = 0. Therefore, by 
induction hypothesis, [f/J satisfies (comp-sn). 

— NPos a (T) = 0. [T] satisfies (comp-neutral) by Lemma fG.231 

— LPos a (T) = 0. [[TJ satisfies (comp-lam) by Lemma f6.231 

— CPos a (T) = 0. Then, B < A and, by assumption, [TJ satisfies (comp-small). 

• T = U -*■ V. Then, Sort< A (U) and Sort< A (P). 

— SPos a (T) = 0. Then, NPos A (C/) = 0 and SPos A (P) = 0. By induction hypothesis, 
[t/J satisfies (comp-neutral) and |V] satisfies (comp-sn) and (comp-red). Hence, |TJ 
satisfies (comp-sn) and (comp-red) by Lemmas 16. 131 and 16.141 

— NPos a (T) = 0. Then, SPos A (U) = 0 and SPos A (H) = NPos A (P) = LPos A (P) = 
CPos A (P) = 0. By induction hypothesis, [C/J satisfies (comp-sn) and (comp-red). Let 
now V' < V. By Lemma [2~TH Sort< A (W). By Lemma fS.lll SPos A (P') = NPos A (P') = 


LPos a (W) = CPos A (P / ) = 0. By (typ-right-subterm) and transitivity, T > V'. Hence, 
by induction hypothesis, |P / ] satisfies (comp-red), (comp-neutral), (comp-lam) and 
(comp-small). Therefore, by Corollary 18.51 |TJ satisfies (comp-neutral). 
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— CPosa(T) = 0. Then, NPosa(T) = 0, hence SPosa(C^) = 0 and SPosa(T) 
LPosa(T) = CPosa(V) = 0. We now check the conditions of Lemma 18.81 
* [T] satisfies (comp-neutral) since NPosa(T) = 0. 


NPosa(F) 


* Let W <T. We prove that CPosa(IT) = 0. By (typ-arrow) there are two cases: 


• V > IT. Then, by Lemma 18.111 CPosa(IT) = 0. 

. W = U -* V' and V > V'. Then, by Lemma I8TT1 SPos A (T') = NPos A (T') = 
LPosa(F') = CPos A (T') = 0. Thus, CPos A (IT) = 0. 

Hence, by induction hypothesis, [IT] satisfies (comp-small). 

Let now f ^ : T -> T be small. There are B and B such that V = V -> B. So, by 
(small-arrow) (Vi) Sort<B (Tf) and T % <T. 

We first prove that, if Sort<A(*S -* B) and CPosa (S -> B) = 0, then B < A, by 
induction on S. If S is empty, then Sort<A(B) and CPosa(B) = 0. Thus, B < A. 
If S = UV, then CPosa(*S -> B) = 0 implies that CPosa(H ->• B) = 0. Hence, by 
induction hypothesis, B < A. 

We therefore have B < A for T = UV -*■ B, Sort<A(T) and CPosa(T) = 0. 

Hence, Sort<A(T) and, by Lemma 18.1()( SPosa(T) = 0. If Tj < T, then p~)J satisfies 
(comp-red) and (comp-sn) by induction hypothesis. Otherwise, T % = T and [T,J 
satisfies (comp-red) and (comp-sn) as shown previously. 

- LPosa(T) = 0. Then, SPos A (I7) = NPos A (U) = 0 and SPos A (H) = NPos A (H) = 
LPosa(H) = CPosa(H) = 0. By induction hypothesis, [C/J satisfies (comp-sn), (comp- 
red) and (comp-neutral). 

Let now V' < V. By Lemma lTGl Sort<A(H'). By Lemma [8.111 SPosa(H / ) = NPosa(H') = 
LPosa^') = CPosA(I /^, ) = 0. By (typ-right-subterm) and transitivity, T > V'. Hence, 
by induction hypothesis, [V 7 ]] satisfies (comp-sn), (comp-red), (comp-neutral), (comp¬ 
lain) and (comp-small). 

Let now W <T. By Lemma [2~Gl Sort<A(VP). Since LPosa(T) = 0, we have CPosa(T) = 
0. Hence CPosa (W) = 0 by Lemma 18.111 If W = T, we have already seen that |T]] 
satisfies (comp-small). Otherwise, W > T and, by induction hypothesis, [IT] satisfies 
(comp-small). 

Therefore, by Corollary 18.71 [T] satisfies (comp-lam). □ 

Theorem 8.13. Assume that the conditions of Figure hold. For all types T, [T] is a 
computability predicate, i.e. satisfies (comp-sn), (comp-red), (comp-neutral), (comp-lam) 
and (comp-small). 


We 


Proof. We proceed by induction on > which is well-founded by assumption (typ-sn) 
distinguish two cases: 

• T is a sort A. By Lemma [6.231 [A] satisfies (comp-red), (comp-neutral), (comp-lam). By 
Lemma 16.241 and induction hypothesis, [A] satisfies (comp-sn). 

Let IT < A. By Lemma [2751 SorHACW 7 )- By Lemma f8. 10 1 CPosa(IT) = 0. Therefore, 
[IT] satisfies (comp-small) by Lemma 18.121 
now f“(B : j 1 


Let 


A be small. By (small-sort) we have (Vi) Sort<A(Tj) and 


SPosa(T) = 0- Therefore, [T] satisfies (comp-sn) and (comp-red) by Lemma [8.121 Hence, 
[A] satisfies (comp-small) by Lemma 18.81 

Otherwise, T = U ->■ V. Since T >/ U, by induction hypothesis, [[/] is a computability 
predicate. Let now V' be a type such that V > V'. By (typ-right-subterm) and transi¬ 
tivity, T > V'. By induction hypothesis, [T 7 ] is a computability predicate. Therefore, 
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\U -»• V] satisfies (comp-sn) by Lemma 16.131 (comp-red) by Lemma [6.141 (comp-neutral) 
by Corollary 18.51 (comp-small) by Lemma [8.81 and (comp-lam) by Corollary 18.71 

Theorem 8.14. If the conditions of Figure^ hold, then the relation > T of Definition \8. 1\ is 
well-founded. 

Proof. After Theorem 16.111 Theorem 18.131 and Lemma 17.251 □ 


8.4. Checking computability assumptions for small symbols. We explore here simple 
sufficient conditions under which the set SPosa(T) is empty, and therefore, which symbols 
whose output type is a sort A can be declared as small. The order of a type plays an 
important role here. In case these conditions are not met, it is of course always possible to 
check (small-sort) and (small-arrow), which are both decidable. 


Lemma 8.15. SPosa(T) = 0 if o(T) < 1. 


Proof. We proceed by induction on T. 

• T = B. Then, SPosa(T) = 0 by definition. 

• T = U V. Since o(T) < 1, o{U) < 0 and o(V) < 1. U being a sort, NPosa(I7) = 0. Since 

o{V) < 1, SPosa(H) = 0 by induction hypothesis. Hence SPosa(T) = 0. □ 


Can therefore be declared as small, any symbol whose type is of order less than or equal to 
2 since its arguments have then a type of order less than or equal to 1. This is in particular 
the case of the constructors of first-order data types. 

More generally, can be declared as small every constructor of a strictly-positive inductive 
type, whatever its order is, which is the class of inductive types allowed in the Coq proof 
assistant |54| : 

Lemma 8.16. Given types T and a sort A, SPosa(T -> A) = 0 if Sort^(T). 

Proof. By induction on T. 

• T = A. Immediate. 

• T = U ->■ V. Then, Sort < A(C7) and V is of the form T -» A with Sort<;A(T)- By Lemma 
18.101 NPosa(I7) = 0. By induction hypothesis, SPosa(H) = 0. Therefore, SPosa(T) = 0. 

□ 


Non-strictly positive types are not available in Coq because strong elimination rules may 
cause non-terminating computations in Coq’s richer type system | i29j . Nothing such that can 
happen in our simple type system in which constructors of non-strictly positive inductive 
types of order < 2 can be declared as small: 

Lemma 8.17. NPosa(T) = LPosa(T) = CPosa(T) = 0 ifo(T) < 1, Sort<A(T) andPos(A,T) £ 
Pos-(T). 

Proof. We proceed by induction on T. 

• T = B. Then, NPosa(T) = LPosa(T) = 0 by definition. Since Sort^A^)) we have B < A. 
Since Pos(A,T) c Pos _ (T) and Pos _ (T) = 0, we have B * A. Therefore, CPosa(T) = 0. 

• T = U -»■ V. Since o(T) < 1, we have o(U ) < 0 and o(V) < 1. Thus, U is a sort 

and SPosa(C7) = NPosa(H) = 0. By Lemma T8.151 SPosa(H) = 0. Since Sort<A(T’) ) we 
have Sort<A(C). Since Pos(A.T) c Pos“(T), we have Pos(A,H) c Pos _ (H). Hence, by 
induction hypothesis, NPosa(H) = LPosa(H) = CPosa(H) = 0. Therefore, NPosa(T) = 
LPosa(T) = CPosa(T) = 0. □ 
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Lemma 8.18. SPosa(T) = 0 if o(T) <2, Sort<A(P) and Pos(/\,T) £ Pos + (T). 

Proof. We proceed by induction on T. 

• T = B. Then, SPosa(T) = 0 by definition. 

• T = U -»■ V. Since o(T) < 2, we have o(U) < 1 and o(V) < 2. Since Sort<A(P), we have 

Sort^AC^) and Sort<A(C). Since Pos(A,T) £ Pos + (T), we have Pos(A,C7) £ Pos”(C/) 
and Pos(A,H) c Pos + (H). Hence, by Lemma [8.171 NPosa(D) = 0 and, by induction 
hypothesis, SPosa(H) = 0. Therefore, SPosa(T) = 0. □ 

But positivity is not always sufficient as shown by the following example. Assume that 
f : T -*■ A with T = (B -> N) ->■ A, IV = (B->A)->-B and B < A. The sort A occurs negatively 
in N and positively in T, which is a 3rd order type. We cannot declare f as small since we 
do not know how to prove that [T] satisfies (comp-sn) by using our lemmas. Indeed, to 
prove that [T] satisfies (comp-sn), we need to prove that [B -> NJ satisfies (comp-neutral) 
(Lemma 16.131) . To prove that [B ->■ NJ satisfies (comp-neutral), we need to prove that [iV] 
satisfies (comp-lam) (Corollary 18.51) . To prove that |1V] satisfies (comp-lam), we need to 
prove that [B -»• A] satisfies (comp-neutral) (Corollary 18.71) . To prove that [B -»• A] satisfies 
(comp-neutral), we need to prove that JA] satisfies (comp-small) (Corollary 18.51) . But, to 
prove that [[A] satisfies (comp-small), we need to prove that [TJ satisfies (comp-sn) (Lemma 
I8.8|) . The circularity has not been broken here, but we can of course declare f as being big 
instead of small. 

8.5. Examples. In this section, we analyze two examples that show the need for small 
symbols and their use. We will see that CPO with small symbols contains not only core 
CPO, but also a subset of its transitive closure. But CPO with small symbols is not transitive 
either, as shown by the second example which needs the use of both small symbols and the 
transitive closure. 

Example 8.19. Taken from the Termination Problems Data Base (TPDB) |87j under the 

name Applicative_05_TreeFlatten. Let a be a sort. Consider the function symbols nil : a, 

flatten : a -»• a, concat 1 : a -> a, cons 2 : a -> a -> a, append 2 : a -> a -> a, node 2 : a -> a -+ a and 
map 2 : (a -> a) -»• a ->■ a. 

The higher-order rewrite system 

map(F, nil) -*■ nil 

map(F, cons(x,u)) -»• cons(F x,map(E, v)) 
flatten node(x,u) -*■ cons(x, concat(map(flatten, v))) 
concat(nil) -»■ nil 

concat(cons(x,u)) -»• append(x, concat(u)) 
append(nil, v) -*■ v 

append(cons(x,u),u) -»• cons(x,append(u, v)) 

can be proved terminating with CPO by considering concat, append, map, cons and nil small, 
while node and flatten can be either small or big (we consider them as big in the following). 
All symbols can have multiset status. Let the precedence be concat >jr append >jr cons, 
node >ja map >jr nil, node >? flatten and map >ja cons. 

Let us show the proof of the third rule, which is the most interesting one. Since cons 
is small, we apply first (@JP S ) and then we recursively need flatten node(x,u) > T x, which 
holds by (@>) and then (.F&>), and flatten node(x,u) > T concat(map(flatten, v)), which 
needs (@.F S ) again. We then recursively need flatten node(x,w) > T map(flatten, v), which 
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generates the subgoal node(x,u) > T map(flatten, v) by (@t>), and then the new subgoals 
node(x,u) > T flatten and node(x,u) > T v by (Fb>). We conclude by (Fb>) and (Fb>)- 

The above example cannot be shown by core CPO because flatten is curried and the 
head symbol of the third rule is then an application. There is however a way out with 
the transitive closure of core CPO if one allows the introduction of new symbols. Let 
flattenunc 1 : a -> a be a new symbol. Assuming for example flatten >jr flattenunc and 
node >jr {cons, concat, map, flatten}, we can then show the successive ordering comparisons: 

flatten node(x,u) > T (Axflattenunc(x)) node(x,u) 
(Axflattenunc(x)) node(x,u) > T flattenunc(node(x, v)) 

flattenunc(node(x,u)) > T cons(x,concat(map(flatten, v))) 

The first reduces to flatten > T Axflattenunc(x), the second is a /3-reduction, and the third is 
a classical RPO-like computation. Details are left to the reader. 

The use of small symbols can therefore help showing termination of examples that 
would otherwise require the use of the transitive closure of core CPO (as well as a signature 
extension in the above case). Small symbols, however, do not make CPO transitive. Our 
second example requires indeed using both small symbols and the transitive closure: 

Example 8.20. Taken from TPDB under the name AotoYamada_05_014. Let a and b be 

sorts. Consider the function symbols 0 : b, nil : a, inc : a -»• a, double : a -»• a, s 1 : b -> b, 
plus 1 : b -> b -> b, times 1 : b -+ b -> b, map 1 : (b ->■ b) ->■ a -> a, and cons 2 :b->a^a. 

The higher-order rewrite system 

plus(O) x -> x 

plus(s(y)) x -+ s(plus (y) x) 
times(O) x -> 0 

times(s(y)) x -> plus(times(y) x) x 
map(F) nil -*■ nil 

map(F) cons(x,u) ->■ cons(F x,map(F) v)) 
inc -»■ map(plus(s(0))) 
double -»• map(times(s(s(0)))) 

can be proved terminating with CPO by taking a = b in the type ordering, cons and s as 
small symbols, the precedence times >jr plus, inc >? {map, plus, 0}, double >? {map, times, 0}, 
and status multiset for all symbols. 

We consider the 4th rule, for which we shall use the transitive closure of CPO, and the 
6 th rule, for which small symbols are needed (for the second rule too). 

For the 4th rule, we exhibit the middle term (Xz plus(times(y) z) z) x which is smaller 
than the lefthand side and /3-reduces to the righthand side of the rule. 

To prove that times(s(y))x is greater than this middle term, we apply (@=), and since 
the second arguments are equal, we have to show that times(s(y)) > T (A^ plus(times(y) z) z). 
Since, both terms have the same type, by (J^A) and then (J},@), we are left to show 
times(s(//)) plus(times(//) z), since times(s(y)) z holds by (J^T). For this last 
check, we apply first (J~b>) and then (J-),@), since times(s(y)) >^ times(y) holds by 
and then (^ r s >), and times(s(y)) >' {Z ^ z holds by (^T). 

For the 6th rule, we apply first which requires to check map(F) cons(x,u) > T Fx 

and map(F) cons(x, v) > T map(F)u. Since the types of both sides are equivalent, the first 
one holds by applying (@=) and then (Ft>>) to the first argument and (F s >) to the second 
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one. Finally, for map(F) cons(x, v) > T map(.F)u, we apply (@—) and then (4" s [>) to the 
second argument. 


9. Conclusion 

We have defined in this paper a well-founded relation on algebraic lambda-terms following 
a type discipline accepting simple types in the sense of Church, and inductive types in the 
sense of Martin-Lof. Further, we could easily cope with (implicitly) universally quantified 
type variables as in [59] . a type discipline called weak polymorphism. 

We want to stress that core CPO has reached a point where we cannot expect any major 
improvement, as indicated by the counter-examples found to our own attempts to improve it. 
We are in great debt with Cynthia Kop and Femke van Raamsdonk for igniting this quest, 
by providing us with an example that removing the type check in the rule results 

in losing the well-foundedness property |611| . The very existence of these counter-examples 
supports our conviction that CPO defines an extremely sharp decidable approximation of 
sets of rules for which there exists a computability predicate. 

Of course, all these counter-examples still hold when adding inductive types and small 
symbols. We did our best to exploit the idea of small symbols as much as possible within 
our proof frame, but cannot argue that the conditions on the signature of small symbols 
are all necessary and that the corresponding recursive calls cannot be improved: we did 
not extend our quest for counter-examples to this question. We finally believe that there is 
also some room left for improving the accessibility relationship, which is restricted so far to 
terms headed by a function symbol, possibly applied to extra arguments. 

A more challenging problem to be investigated now is the generalization of this new 
definition to the calculus of constructions along the lines of ||91j and the suggestions made 
in [59] . where an RPO-like ordering on types was proposed which allowed to give a single 
definition for terms and types. Generalizing CPO to dependent types appears to follow the 
classical route initiated in [49] . albeit non-trivial [55]. We therefore believe that this work 
should be applicable to Dedukti EI]|79] with limited effort. On the other hand, we have 
failed so far to generalize CPO to truly polymorphic types: its use in the proof assistant 
Coq [54] will require much more effort. 

Finally, note that HORPO [65] on the one hand, and the notion of computability closure 
on the other hand m, have already been formalized in the proof assistant Coq |54| . These 
works could serve as a basis for formalizing the results presented in this paper and develop 
a termination certificate verifier for CPO. 

Acknowledgements. The authors thank the reviewers for their suggestions. 
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